On Thu, Sep 19, 2024 at 19:10:05 +1000, Viktor Dukhovni via Postfix-users wrote:
> On Thu, Sep 19, 2024 at 10:01:16AM +0200, Geert Hendrickx via Postfix-users
> wrote:
>
> > > Anonymous TLS connection established from X: TLSv1.3 with cipher
> > > TLS_AES_128_GCM_SHA256
> > > (128/128 bits) key-exchange x25519_kyber768 server-signature ECDSA
> > > (prime256v1)
> > > server-digest SHA256
> >
> > Thanks Viktor!
>
> Good to know it worked, I did not have an easy way to test this, since
> no such providers are built on my end. Test drive this some more, and
> if all is well, I'll send the combined patch to Wietse (or he can of
> course extract both parts from this thread).
It works, and it's even interoperable with gmail's MX. But provider
key exchanges aren't logged for outbound connections by smtp(8) or
posttls-finger:
$ posttls-finger -o tls_eecdh_auto_curves=X25519 gmail.com | grep established
posttls-finger: Untrusted TLS connection established to
gmail-smtp-in.l.google.com[142.250.102.26]:25: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature
ECDSA (prime256v1) server-digest SHA256
$ posttls-finger -o tls_eecdh_auto_curves=x25519_kyber768 gmail.com | grep
established
posttls-finger: Untrusted TLS connection established to
gmail-smtp-in.l.google.com[2a00:1450:4025:402::1b]:25: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature ECDSA (prime256v1)
server-digest SHA256
(it is properly using x25519_kyber768 on the wire, just not logging it)
For inbound connections, exotic key exchanges are properly logged, as
shown above, as well as in Received headers.
Geert
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
