Viktor Dukhovni wrote: > On Mon, Sep 15, 2014 at 05:16:19PM +1000, shm...@riseup.net wrote: > >> if i have an EC mail server cert and if an MTA setup to send/receive >> gives the following: > > Always configure at least some sort of RSA certificate along with > any ECDSA certificates. The RSA certificate can be self-signed. > Many systems don't support ECDSA, and also don't enabled anonymous > cipher suites, so they fail when no RSA certificate is offered.
are you saying even if the RSA cert is self-signed, as long as the EC cert is from a commercial CA (which it is) then RSA based ciphers will still be negotiated ? is this process automated by postfix in that i simply need to additionally specify smtp_tls_cert_file smtp_tls_key_file smtpd_tls_cert_file smtpd_tls_key_file did you mean i should not allow anonymous cipher suites ? ie !aNULL:!eNULL:!ADH > >> postfix/smtpd[7060]: initializing the server-side TLS engine >> postfix/smtpd[7060]: connect from medusa.blackops.org[208.69.40.157] >> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: can't read >> SMFIC_OPTNEG reply packet header: Connection timed out >> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: read error in >> initial handshake > > Also fix this. ive posted this to the greylist mailing list ages ago - nobody knows > >> postfix/smtpd[7060]: setting up TLS connection from >> medusa.blackops.org[208.69.40.157] >> postfix/smtpd[7060]: medusa.blackops.org[208.69.40.157]: TLS cipher list >> "!ANULL:!EXPORT:!MD5:!DES:!LOW:ALL:@STRENGTH" >> postfix/smtpd[7060]: SSL_accept:before/accept initialization >> postfix/smtpd[7060]: SSL3 alert write:fatal:handshake failure >> postfix/smtpd[7060]: SSL_accept:error in SSLv3 read client hello C >> postfix/smtpd[7060]: SSL_accept:error in SSLv3 read client hello C >> postfix/smtpd[7060]: SSL_accept error from >> medusa.blackops.org[208.69.40.157]: -1 >> postfix/smtpd[7060]: warning: TLS library problem: error:1408A0C1:SSL >> routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1358: >> postfix/smtpd[7060]: lost connection after STARTTLS from >> medusa.blackops.org[208.69.40.157] >> postfix/smtpd[7060]: disconnect from medusa.blackops.org[208.69.40.157] >
