On Sat, Dec 07, 2024 at 10:29:12PM +0100, Gerd Hoerst via Postfix-users wrote:
> I found a nice internet site (https://internet.nl) where you can test > you www or email server. > > If i run the test on my actual "in setup" email server i get 2 failures > where i cant figure out after a lot of googleing and try out to solve it. > > The first on is the complain about the algo selection > > smtp.hoerst.net. ADH-AES256-GCM-SHA384 insufficient If you don't have a regulator forcing you to implement their silly requirement, ignore this. Postfix is doing the right thing. > The second is > > it complaining about Key exchange parameters > > smtp.hoerst.net. DH-2048 insufficient If you don't have a regulator forcing you to implement their silly requirement, ignore this. Postfix is doing the right thing. With TLS 1.2 in SMTP, that's still likely to be more interoperable than larger DH key sizes, and plenty secure. If your email warrants a brute force attack resistance work-factor of more than 2^112, there's a nice bridge in Brooklyn you might be interested in buying). > So i really do not understand what else i could do... Run a reasonably recent Postfix release, we very gradually raise the floor, only when it seems like almost nobody is likely to be adversely affected, and the change has at least some merit. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
