-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 05 Sep 2011 19:21:27 +0700 Wietse Venema <wie...@porcupine.org> wrote: >>wh...@hushmail.com: >> Aug 31 21:38:14 johndoe postfix/smtpd[16200]: >> s097.networking4all.com[213.249.64.242]: TLS cipher list >> "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" >... >> smtpd_tls_security_level = may >> smtpd_tls_mandatory_ciphers = medium >> smtp_tls_protocols = !SSLv2, !SSLv3 > >Comment out all your smtpd_tls lines (including the lines that you >did not show) until the output from the command "postconf -n" >shows >only these four: > >smtpd_tls_CAfile >smtpd_tls_cert_file >smtpd_tls_key_file >smtpd_tls_security_level > >Then add back your tweaks one by one (executing the command >"postfix >reload" after each change) and learn which change breaks inter- >operability. > >You may also find some helpful hints in >www.postfix.org/TLS_README.html. > > Wietse
I did, I went as far as installing Postfix on a vanilla system on different distro (Ubuntu server). I can confirm even only with those four smptd_tls lines the result is no different. hack...@cincomail.com wrote: >wh...@hushmail.com wrote: >> The thing is I'm trying to check my SSL configuration using this >> tool: >> http://www.networking4all.com/en/support/tools/site+check/report/ >> >> and while it can validate mt certificate just fine, it says that it >> can't establish a secure connection. >> Be aware that test site looks at SMTPS port 465, and not STARTTLS over port 25. Make sure that master.cf has any -o options for smtps that you might require. Thanks for pointing that out. Tcpdump does confirm that networking4all.com tool only probes port 465 on its smtps check. This is my current master.cf config: (. . . . .) smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING (. . . . ) Anything I should change? FWIW Outlook is able connect to port 465 using SASL. Interestingly, networking4all.com smtp server (smtp.networking4all.com) is also using postfix and it can pass its own tool. I wonder what config do they put in main.cf and master.cf Thank you for your reply, Wietse and Greg. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wsBcBAEBAgAGBQJOZatBAAoJEIsVW8QaqqJOXjMH/jt/FU6NQ91vCxgzXhJuAeLFlsQM rDV/vThEvPQICM2jeBF04eSHB9RrcDavDA/GHopzfImQ8Gd4FYu3Wr0mm0AqJnZvu0Pl q6Klb0IaxoRkvzClQPdWnwuUYtcgRyIjjCNREBkXaOawA2xoHmlAg9zBjJP9dPzzZvKP kSbVoDUKOqpDGljmShQ/m30Hi2QFxsewvYlk4iIQN9MVyhpgdO1TThhonh3HryMNTaY2 WRB1fgxvCytRcNV1DoIqsz2IrNgrqnnkS9hOPTBpw4TIpxPqJR7DZDsKtE+3qYX64nYS H6pkNuP1tJ2irBjFhOeUooXrcP9ATFvkiqBsDjzM18w= =yXDf -----END PGP SIGNATURE-----
