Viktor Dukhovni wrote: > On Tue, Sep 16, 2014 at 12:00:33AM +1000, shm...@riseup.net wrote: > >> Viktor Dukhovni wrote: >>> On Mon, Sep 15, 2014 at 05:16:19PM +1000, shm...@riseup.net wrote: >>> >>>> if i have an EC mail server cert and if an MTA setup to send/receive >>>> gives the following: >>> >>> Always configure at least some sort of RSA certificate along with >>> any ECDSA certificates. The RSA certificate can be self-signed. >>> Many systems don't support ECDSA, and also don't enabled anonymous >>> cipher suites, so they fail when no RSA certificate is offered. >> >> are you saying even if the RSA cert is self-signed, as long as the EC >> cert is from a commercial CA (which it is) then RSA based ciphers will >> still be negotiated? > > No, I'm saying that clients that don't support ECDSA won't negotiate > ECDSA, and that therefore you *also* need an RSA certificate. > > Which public key algorithm is chosen depends on client preferences. > Since almost nobody verifies SMTP server certificates, there is > little reason to make any effort towards ensuring that the CA-issued > ECDSA certificate is chosen in place of the self-signed RSA > certificate.
why not ? aren't EC algos more resistant to attacks, brute forcing & faster than DHE, etc ? > >> Is this process automated by postfix in that i simply need to >> additionally specify >> >> smtp_tls_cert_file >> smtp_tls_key_file > > Client certificates are generally unnecessary, leave these empty. > >> smtpd_tls_cert_file >> smtpd_tls_key_file > > Yes, enable both algorithms. However, take a look at: > > http://archives/neohapsis.com/archives/postfix/2014-05/thread.html#230 ok thx, good read after i thought i was going mad before seeing the / > > you need to include all relevant issuing CAs with every certificate, > thus even the self-signed RSA certificate file will need a copy of > the ECDSA certificate's issuing authorities. > >> Did you mean i should not allow anonymous cipher suites ? >> >> ie !aNULL:!eNULL:!ADH > > I said nothing of the sort. > >>>> postfix/smtpd[7060]: initializing the server-side TLS engine >>>> postfix/smtpd[7060]: connect from medusa.blackops.org[208.69.40.157] >>>> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: can't read >>>> SMFIC_OPTNEG reply packet header: Connection timed out >>>> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: read error in >>>> initial handshake >>> >>> Also fix this. >> >> I've posted this to the greylist mailing list ages ago - nobody knows > > Turn off the milter, it is not working. im not sure how you'd know that ive learnt to live with the error - all unseen and whitelisted MTA's are handled by it fine
