On Tue, Sep 16, 2014 at 12:00:33AM +1000, shm...@riseup.net wrote: > Viktor Dukhovni wrote: > > On Mon, Sep 15, 2014 at 05:16:19PM +1000, shm...@riseup.net wrote: > > > >> if i have an EC mail server cert and if an MTA setup to send/receive > >> gives the following: > > > > Always configure at least some sort of RSA certificate along with > > any ECDSA certificates. The RSA certificate can be self-signed. > > Many systems don't support ECDSA, and also don't enabled anonymous > > cipher suites, so they fail when no RSA certificate is offered. > > are you saying even if the RSA cert is self-signed, as long as the EC > cert is from a commercial CA (which it is) then RSA based ciphers will > still be negotiated?
No, I'm saying that clients that don't support ECDSA won't negotiate ECDSA, and that therefore you *also* need an RSA certificate. Which public key algorithm is chosen depends on client preferences. Since almost nobody verifies SMTP server certificates, there is little reason to make any effort towards ensuring that the CA-issued ECDSA certificate is chosen in place of the self-signed RSA certificate. > Is this process automated by postfix in that i simply need to > additionally specify > > smtp_tls_cert_file > smtp_tls_key_file Client certificates are generally unnecessary, leave these empty. > smtpd_tls_cert_file > smtpd_tls_key_file Yes, enable both algorithms. However, take a look at: http://archives/neohapsis.com/archives/postfix/2014-05/thread.html#230 you need to include all relevant issuing CAs with every certificate, thus even the self-signed RSA certificate file will need a copy of the ECDSA certificate's issuing authorities. > Did you mean i should not allow anonymous cipher suites ? > > ie !aNULL:!eNULL:!ADH I said nothing of the sort. > >> postfix/smtpd[7060]: initializing the server-side TLS engine > >> postfix/smtpd[7060]: connect from medusa.blackops.org[208.69.40.157] > >> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: can't read > >> SMFIC_OPTNEG reply packet header: Connection timed out > >> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: read error in > >> initial handshake > > > > Also fix this. > > I've posted this to the greylist mailing list ages ago - nobody knows Turn off the milter, it is not working. -- Viktor.
