Benny Pedersen wrote in <f9bec3516bcc5a81c6f4c355aef39...@junc.eu>: |Steffen Nurpmeso skrev den 2023-01-07 19:35: |> Matus UHLAR - fantomas wrote in |> <Y7l7qS2IF/mxz...@fantomas.sk>: |> ... |>|one |>|can disable aDH by adding it to smtp_tls_mandatory_exclude_ciphers. |> |> Just last week with the new lighttpd update i followed his |> maintainer by doing (the EDH+AESGCM is _my_ addition, blame _me_ |> for that, it adds four combinations): |> |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 |> smtpd_tls_mandatory_ciphers = high |> smtpd_tls_mandatory_exclude_ciphers = TLSv1 |> |> For long (many, many months) i have |> |> smtpd_tls_mandatory_protocols = >=TLSv1.2 |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols |> |> All this transported to other (client etc) via such var |> assignments. |> I have no fallout after two days (in which i had bitten the |> bullet and really read through the logs; yet; i also presumed he |> did some careful investigation before being that rigid, so). | |Received: by kent.sdaoden.eu (Postfix, from userid 1000) | id 25D02B4B1E; Sat, 7 Jan 2023 19:35:21 +0100 (CET) |Date: Sat, 07 Jan 2023 19:35:21 +0100 |Author: Steffen Nurpmeso <stef...@sdaoden.eu> | From: Steffen Nurpmeso <stef...@sdaoden.eu> | |you are not using postfix imho when it make "RCVD_ILLEGAL_IP Received: |contains illegal IP address" in spamassassin test
In short: actually i consider this a bug in SpamAssassin that bothers me for long. In long: i am using VPN, and it grown, but then someday i tried to enter a public wireless access point and it used the same IP range as my VPN. Whereas over-engineering is everywhere, noone seemed to ever have bothered to give claims for such, so anybody is using the (0.0.0.0/8), 10.0.0.0/8, (127.0.0.0/8), 172.16.0.0/12, 192.168.0.0/16, and 240.0.0.0/4 (of i think RFC 3704) just as they will. Now that sucks. I (still avoiding IPv6 in real-life, though that is a real brain damage problem as it would solve the issue) looked around and found the RFC 5737 TEST-NET-[123] IP addresses that "are forbidden on the public internet", and which i also explicitly turn off on ingress. Yet noone says they might not be used in a VPN, and so this is what i do, i use them for several different VPNs (VMs, etc etc). As all those IPs are not used in the internet, but only in the VPN, then sent out to the real world from (a) valid IP(s), i considered this approach to be "smart" in that i was able to simply forget about the problem of IP range clashes in any WiFi i can encounter. But, bummer, SpamAssassing is an idiot. (On the other hand my messages normally get so much drift into the other direction that it is still ok, and may it only be SPF and such from the actual server.) Sorry!! --End of <f9bec3516bcc5a81c6f4c355aef39...@junc.eu> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
