Cart

    Sorry, we could not find any results for your search querry.

    Disabling TLS 1.0 and 1.1 on your mailserver

    Transport Layer Security (TLS) is the successor to SSL and is used to secure communications on a computer network (e.g. the internet). For example, in order to secure the connection from your computer to a website or mail server. Nowadays, when people talk about SSL, they always mean TLS.

    Various TLS versions have been released over the years, of which TLS 1.0 and TLS 1.1 have already reached a so-called 'End of Life' status since June 2018. This means that these versions will no longer be updated and their use is potentially unsafe.

    For backwards compatibility, we have supported TLS 1.0 and TLS 1.1 on the VPS mail service until the end of 2021. However, for security reasons, we decided that as of the end of april 2022, we will no longer support these older TLS versions. Should you be unable to update your TLS version, we recommend disabling the VPS mail service and to instead mail from your VPS itself directly.

    When using the VPS mail service, it is therefore important to ensure that you use TLS 1.2 or newer. Mail software is generally smart in its TLS usage and will automatically use the newest available version, meaning that if you support TLS 1.2 or newer, disabling 1.0 and 1.1 is optional (but recommended for security reasons).

    In this tutorial we will show you how to check whether you are using TLS 1.2 or not and if so, how to disable TLS 1.0 or 1.1 on your mail server.

    • Regardless of which operating system or mail server you use, it is important that they are up-to-date. Therefore, first check if there are any updates available and install them if any. Most software is set up in such a way that it automatically uses the last available TLS version.
       
    • The steps in this guide are intended to get you started, but individual steps may vary with legacy installations. We offer no guarantees for operating systems and software versions that have reached an End of Life status.
       
    • DirectAdmin and cPanel automatically use the most up-to-date TLS version. If your server is up to date, then no further actions are required.

    Check if you're already using TLS 1.2 or newer in Linux

     

    First things first! Are you actually using TLS 1.0 or TLS 1.1? There is a command in Linux that allows you to easily check this:

    openssl s_client -connect 123.123.123.123:465
    
    • Replace 123.123.123.123 with the IP address van je mailserver (of de hostname).
    • You can change the port, for example to 587 (SMTP), 993 (IMAPS) or 995 (POP3S). In practise, usually these ports will all report the same, latest supported TLS version
    • In regards of the VPS mailservice, it's only necessary to check port 465 or 587 (depending on your setup)

    The command above will only show the latest supported TLS version. To check if you're supporting TLS 1.0 and/or TLS1.1 use the following commands as well:

    openssl s_client -tls1 -connect 123.123.123.123:465
    openssl s_client -tls1_1 -connect 123.123.123.123:465
    

    When using these commands, you're shown a bunch of information, but all you need to look for is the following bit:

    ---
    read R BLOCK
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384

    Do you see Protocol : TLSv1.2 or Protocol : TLSv1.3 here? Congratulations! Your server already makes use of a safe TLS version.

    Do you see Protocol : TLSv1.0 or Protocol : TLSv1.1? First, update your VPS completely using the commands below, restart your VPS and use the command above again to check if you now do see TLSv1.2 or TLSv1.3. If not, continue with the paragraphs below.

    Ubuntu / Debian:

    apt -y update && apt -y upgrade

    CentOS/AlmaLinux:

    yum -y update

    Using TLS 1.2+ for Plesk installations

     

    Plesk allows you to easily modify the TLS versions used (Plesk installations from 2019 already use TLS 1.2). In this tutorial we will show you how to disable TLS 1.0 and 1.1 in Plesk.


    Disable TLS 1.0 and 1.1 in Dovecot

     

    Regardless of whether you use Postfix or Exim to send mail, if you also want to be able to receive mail, you need Dovecot on a Linux distro. Fortunately, this means that the configuration is (almost) the same for different operating systems and, as a bonus, it is also quite simple to put together.

    The easiest solution is simply to keep Dovecot (and your entire server) up to date. In the most recent versions of Dovecot, TLS 1.0 and 1.1 are disabled. Even with slightly less recent versions, the most recent TLS version is automatically used.

    If you still want to manually disable TLS 1.0 and 1.1, adjust the configuration as follows:

     

    Step 1

    Open Dovecot's SSL configuration, most commonly the required file is:

    nano /etc/dovecot/conf.d/10-ssl.conf

     

    Step 2

    Add the line below to the file.

    ssl_min_protocol = TLSv1.2

    Dovecot versions older than 2.3 require another option instead:

    ssl_protocols = TLSv1.2 

    Save the changes and close the file (ctrl + x > y > enter). Finally, reboot your VPS.


    Disabling TLS 1.0 and 1.1 in Postfix

     

    Postfix supports TLS 1.2 from version 2.6 and TLS 1.3 from version 3.4 and newer. You can check the version you are using with the command:

    postconf -d | grep mail_version

    If your installation is up-to-date enough you can set a minimum requirement of TLS 1.2 as follows:

     

    Step 1

    Open Postfix' configuration, in nearly all cases the file will be:

    nano /etc/postfix/main.conf

     

    Step 2

    Add the lines below to the bottom of the opened file:

    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

    Save the changes and close the file (ctrl + x > y > enter). Finally, reboot your VPS.


    Disabling TLS 1.0 and 1.1 in Exim

     

    Step 1

    Open Exim's configuration, depending on your operating system the file name may vary a little. The most common ones are:

    Ubuntu / Debian:

    nano /etc/exim4/exim4.conf.template

    CentOS / AlmaLinux / Rocky Linux

    nano /etc/exim/exim.conf

     

    Step 2

    Add the following line to the file immediately above the line which reads 'auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}'. auth_advertise_hosts usually is located in the first code block upon opening the file.

    tls_require_ciphers = SECURE192:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-DTLS0.9:!VERS-DTLS1.0 

    Depending on your setup, your server may support a different cipher set. Should you no longer be able to connect to Exim after these steps, then you can also try the following settings:

    tls_require_ciphers = SUITEB192:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:-ARCFOUR-128
    

    Save the changes and close the file (ctrl + x > y > enter). Finally, reboot your VPS.


    Disabling TLS 1.0 and 1.1 for Exchange Server

     

    It's important to first check whether or not you actually support TLS 1.0 and/or TLS 1.1 as your server may already be up-to-date bent. This can easily be done by checking the Windows registry:

     

    Step 1

    Click on the Windows Start button, type 'regedit' and click on 'Registry Editor' in the search results.

    windows search for regedit


     

    Step 2

    In the top of the Registry Editor, enter the line 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\', or click the folder structure on the left until you reach this specific folder.

    Do you not see additional folders for TLS 1.0 and 1.1 but only TLS 1.2? Then you already don't use TLS 1.0 and 1.1 and are finished with this tutorial.

    regedit tls protocls


     

    If you do however use TLS 1.0 and/or TLS1.1 additional steps are required:

     

    Stap 1

    Before actually disabling TLS 1.0 and 1.1, it's important that your Exchange server is actually ready for disabling TLS 1.0 and 1.1 and the exclusive use of TLS 1.2. For this, first follow the steps outlined in Microsoft's manual's below:


     

    Step 2

    Click the Windows Start button and type 'Notepad'. In the results, click with your right mouse button and select 'Run as Administrator'.

    windows start find notepad runas admin


     

    Stap 3

    Add the text below:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000 

    Save the file using the name and extension 'TLS10-Disable.reg' (Behind 'Save as type' select the option 'All files').

    save as reg file


     

    Step 4

    Double click on the file you just created and click 'Yes' to accept its content being added to your registry.


     

    Step 5

    Repeat step 4 - 6 but this time, give the file the name TLS11-Disable.reg and the contents below:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000 

    You have now finished disabling TLS 1.0 and 1.1 on your Exchange Server.


     

    This concludes our tutorial on disabling TLS 1.0 and 1.1 on various mailservers.

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

     

    Need help?

    Receive personal support from our supporters

    Contact us