* Viktor Dukhovni <postfix-us...@dukhovni.org> [2013-08-20 16:51]: > > I found the problem... In addition to my normal certificate, I had an > > EC certificate. > > > > smtpd_tls_eccert_file=/etc/postfix/certs/cacert-karotte-ec.crt > > Though I think OpenSSL will generally detect attempts to configure > a public key (certificate) without a matching private key, you > should check that the private key and certificate match:
Hi, yes I checked and they are matching. > If you're willing to test briefly with the EC certificate re-enabled, > it would be helpful to capture a full packet capture tcpdump (aka > pcap) file with a failed delivery from gmx.de/web.de. Viewing this > with "wireshark" will show exactly where in the handshake the problem > ocurred and may shed some light on the reason. I just did, here is the PCAP: http://www.karotte.org/smtp-gmx.pcap > There are no known practical attacks on 256-bit EC keys and 384-bit > EC is slower. AES-128 with EC-256 is sufficiently secure for SMTP > TLS. Though I expect that if the sender has trouble with 384-bit > EC, they'll have trouble with EC in general. I found no real guidance in regards to EC so I chose a higher one. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
