On Fri, Apr 12, 2019 at 11:57:09PM +0200, Ralph Seichter wrote:
> Hm. Hardenize tells me "Email TLS ... not implemented or disabled",
> which I don't quite understand, given the following settings:
>
> smtpd_tls_ask_ccert = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_fingerprint_digest = sha256
> smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> smtpd_tls_CApath = ...
> smtpd_tls_cert_file = ...
> smtpd_tls_key_file = ...
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
>
> So, who is confused, me or Hardenize?
Naturally the latter, but over IPv6 your SMTP server does have a
rather noticeable pre-greet delay, perhaps Hardenize defaults to
IPv6 and is unwilling to wait that long. The ipv4 service is
more responsive.
$ posttls-finger -aipv4 -L summary monksofcool.net
posttls-finger: Connected to ra.horus-it.com[94.130.34.199]:25
posttls-finger: < 220 ra.horus-it.com ESMTP
posttls-finger: > EHLO amnesiac.invalid
posttls-finger: < 250-ra.horus-it.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 31457280
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: Verified TLS connection established to
ra.horus-it.com[94.130.34.199]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO amnesiac.invalid
posttls-finger: < 250-ra.horus-it.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 31457280
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
--
Viktor.
