> On Apr 24, 2017, at 12:15 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > >> On Apr 24, 2017, at 12:51 PM, Michael Segel <dovecot_...@hotmail.com> wrote: >> >> I wouldn’t say fashionista… >> >> More of an experiment since its easy to replace the tickets. >> I wanted to try something a wee bit more secure. There’s actually a >> downstream reason for this… > > Excessively long keys that exceed the needs of nation state agencies and > reduce > interoperability are not "a wee bit more secure". Especially with > opportunistic > security, these yield less security, not more. >
>> But of course, I’m still at a loss as to why the initial rDNS handshake as >> well >> as attempts to hit zen.spamhaus for a lookup are also failing. > > DNS requests for SpamHaus cannot be forwarded to an ISP resolver. As > explained > multiple times, you need to run your own resolver and list only that resolver > (127.0.0.1) in /etc/resolv.conf. > I will have to check how I’m doing it on my other server. It works there but not on the new machine. Both should be roughly the same although the older server is Centos 6 and an earlier version of postfix and dovecot. > Also disable chroot at least long enough to get your system working. Then, if > you feel confident you know how to operate a working chroot environment, > enable > chroot for some services and test with care. For most users chroot is not > worth > it. > > -- > Viktor. >
