Hello,
On Thu, Jan 28, 2021 at 09:48:13PM +0000, Chu, Uy wrote:
smtp_tls_CAfile = /etc/postfix/ca.crt
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, RC4, aNULL
smtp_tls_loglevel = 2
On 28.01.21 17:01, Viktor Dukhovni wrote:
Not sure why you want to disable aNULL, or set the log level > 1.
seems I made the same mistake, when configuring ciphers for multiple
services.
Excluding aNULL should not be needed on smtp port, but apparently
is useful on ports with mandatory encryption.
This should probably be better:
smtpd_tls_exclude_ciphers=MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
smtpd_tls_mandatory_exclude_ciphers=aNULL
I borrowed from https://marc.info/?l=postfix-users&m=155509005512179&w=2
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
There are default values, no need to set them explicitly.
smtp_tls_mandatory_protocols could have ,!TLSv1 appended though.
(some seem to recommend even ,!TLSv1.1)
smtpd_tls_CAfile = /etc/postfix/ca.crt
You don't need a CAfile here either, since you don't solicit client
certs. The subject DNs of certs in the CAfile end up in the server
handshake packets, and if there are too many can cause problems.
smtpd_tls_key_file = /etc/postfix/smtpout_slac_stanford_edu.key
smtpd_tls_cert_file = /etc/postfix/smtpout_slac_stanford_edu.crt
Make sure this includes any requisite intermediate CA certs.
seems that if we provide smtpd_tls_CAfile with intermediate certificate to
our certificate specified by smtpd_tls_cert_file, the authority gets added
to certificate chain.
I'm curious if this is intentional.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
