Hi Viktor !
OK thanks
Do you have a good page for checking this (including DKIM/DANE/SPF )
BTW: you said its ok... but im still confused at the point where i
defincd the dh4096 but the page only saw dh2048
Ciao Gerd
Am 07.12.2024 um 22:40 schrieb Viktor Dukhovni via Postfix-users:
On Sat, Dec 07, 2024 at 10:29:12PM +0100, Gerd Hoerst via Postfix-users wrote:
I found a nice internet site (https://internet.nl) where you can test
you www or email server.
If i run the test on my actual "in setup" email server i get 2 failures
where i cant figure out after a lot of googleing and try out to solve it.
The first on is the complain about the algo selection
smtp.hoerst.net. ADH-AES256-GCM-SHA384 insufficient
If you don't have a regulator forcing you to implement their silly
requirement, ignore this. Postfix is doing the right thing.
The second is
it complaining about Key exchange parameters
smtp.hoerst.net. DH-2048 insufficient
If you don't have a regulator forcing you to implement their silly
requirement, ignore this. Postfix is doing the right thing. With TLS
1.2 in SMTP, that's still likely to be more interoperable than larger DH
key sizes, and plenty secure. If your email warrants a brute force
attack resistance work-factor of more than 2^112, there's a nice bridge
in Brooklyn you might be interested in buying).
So i really do not understand what else i could do...
Run a reasonably recent Postfix release, we very gradually raise the
floor, only when it seems like almost nobody is likely to be adversely
affected, and the change has at least some merit.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
