Am 15.12.21 um 23:35 schrieb Benny Pedersen:
On 2021-12-15 23:04, raf wrote:
How could I get an Android client and a Postfix server work together
please?
It's just a guess, but maybe the problem is ECDSA.
If you add an RSA key as well, it might work.
Does that sound plausible?
or simply try smtps if submission fails on android
i use aquamail on android with succes smtps / imaps (ssl not tls)
Benny,
Please do not confuse protocol versions with how TLS
handshake/negotiation is introduced.
SSL is the obsolete and unsafe predecessor to TLS but that or the TLS
version has NOTHING to do with
whether you either: use dedicated SSL-wrapped = TLS-wrapped = Implicit
TLS ports for TCP,
or: start a vulnerable clear-text connection that starts at application
level, then proceeds through STARTTLS or STLS to negotiate TLS,
and when many applications forget to reset their state[1 below]
Standing recommendations are to use TLS v1.2 or newer. Obsolete clients
may want to talk TLS v1.1 or v1.0 though but should be upgraded or
phased out.
If you want to make a distinction between negotiation, i. e., whether
the TCP session starts with TLS handshake right away (called "Implicit
TLS" or "TLS-wrapped on dedicated "...s" ports smtps/imaps/pop3s on
465/993/995) or cleartext initial conversation that negotiates TLS
in-band (STARTTLS for SMTP and IMAP, STLS for POP3 on ports 25/587, 143,
110, respectively), then make that clear. Anything else is coincidental
and adds to the confusion.
Thank you.
[1] After the Poddebniak et al. paper&presentation earlier this year,
Implicit TLS would get my preference, it is also cleaner and does not
mix application and security layers in ways that require special attention.
https://www.usenix.org/conference/usenixsecurity21/presentation/poddebniak
