poste.io2

Custom TLS settings

changing some of following values can affect your server security or availability

Poste.io comes by default preconfigured by latest security measures. Even though cipher settings are also carefully chosen to be available to most current devices, some legacy devices can have problem to login or send emails. Custom TLS settings is here to save administrators day.

To change default TLS settings for SMTP, POP3, IMAP services locate these lines at /<data-folder>/server.ini:

[tls]
; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.

auth_required = 1
inbound_min_version = 
inbound_ciphers = 
every server.ini change requires container to be restarted

auth_required - allowed values are 0 or 1 (default). To fully disable TLS requirement when users do login change this value to 0. This will cause that login and passwords and emails will be transfered in plaintext over internet. You should not change this setting unless you know what you are doing.

inbound_min_version - set the minimum TLS version to allow. One of 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'. It is not recommended to use less than TLSv1.1, but it may be required for interoperability. Default value is TLSv1.1

inbound_ciphers - cipher suite specification, replacing the default. For more information, see modifying the default cipher suite

Example for legacy clients

[tls]
; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.

auth_required = 1
inbound_min_version = TLSv1 
inbound_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA 

Good source of settings is Mozilla SSL Configuration Generator