Custom TLS settings

changing some of the following values may affect the security or availability of your server

By default, is pre-configured with the latest security measures. Although the cipher settings are also carefully chosen to be available to most current devices, some legacy devices may have problems logging in or sending email. Custom TLS settings are available to fine-tune compatibility for less capable or obsolete clients.

To change the default TLS settings for SMTP, POP3, IMAP services locate these lines at /<data-folder>/server.ini:

; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.

auth_required = 1
inbound_min_version = 
inbound_ciphers = 
any change to server.ini change requires container to be restarted

auth_required - allowed values are 0 or 1 (default). To completely disable the TLS requirement when users log in, change this value to 0. This will cause logins, passwords and emails to be sent over the internet in clear text. Do not change this setting unless you know what you are doing.

inbound_min_version - set the minimum TLS version to allow. One of 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'. It is not recommended to use less than TLSv1.1, but it may be required for interoperability. Default value is TLSv1.1

inbound_ciphers - cipher suite specification, replacing the default. For more information, see modifying the default cipher suite

Example for legacy clients

; Custom settings for TLS (only Dovecot and Haraka). Be warned, the mail server may stop working with invalid settings.

auth_required = 1
inbound_min_version = TLSv1 

A good source for settings is Mozilla SSL Configuration Generator