Hi,
I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send
mail from simple java client to server it is working fine. TLS negotiation
happened properly. But when MTA1 try to send mail to other MTA, mail is
getting deferred by writing following log
" Aug 2 11:21:34 AHQ postfix/
On Tue, Aug 1, 2017, at 04:41 PM, Viktor Dukhovni wrote:
> Just put the cipherlist in single quotes, otherwise "bash" history
> substitution gets in the way:
Grrr. Ok.
> DO NOT confuse ciphers with protocol versions.
> No, these are protocol version exclusions, not cipher exclusions.
Yep. Tha
On Tue, Aug 01, 2017 at 04:11:45PM -0700, robg...@nospammail.net wrote:
> For any given cipherlist in Postfix e.g.
>
> tls_medium_cipherlist =
> !kDHE:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH
>
> Is there a postfix command to display an order list, by preference, of
> all the act
For any given cipherlist in Postfix e.g.
tls_medium_cipherlist =
!kDHE:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH
Is there a postfix command to display an order list, by preference, of all the
actually presented ciphers etc, *including* all the built-in Postfix exclusions?
I know
> On Aug 1, 2017, at 6:59 PM, robg...@nospammail.net wrote:
>
>> smtp_tls_high_cipherlist =
>> !aRSA:!aDSS:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:@STRENGTH
>> smtp_tls_medium_cipherlist =
>> !aRSA:!aDSS:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH
>
> smtp_tls_*
>
> or just
>
On Tue, Aug 1, 2017, at 03:27 PM, Viktor Dukhovni wrote:
> smtp_tls_high_cipherlist =
> !aRSA:!aDSS:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:@STRENGTH
> smtp_tls_medium_cipherlist =
> !aRSA:!aDSS:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH
smtp_tls_*
or just
tls_*
I'm fin
On Tue, Aug 01, 2017 at 02:41:52PM -0700, mark burdett wrote:
> Hi, I was curious if there are any plans for postfix to eventually support
> SMTP connection reuse with STARTTLS.
This requires a complex outbound TLS proxy to cache the connections
in process, and handle peer authentication. Some o
On Tue, Aug 01, 2017 at 02:59:35PM -0700, robg...@nospammail.net wrote:
> > The name "CHACHA20" matches any ciphersuite that uses that stream
> > cipher for the bulk crypto:
>
> Sounds like a group.
It names a set of related ciphersuites.
> > $ /opt/openssl/1.1.0/bin/openssl ciphers -V CHAC
> The name "CHACHA20" matches any ciphersuite that uses that stream
> cipher for the bulk crypto:
Sounds like a group.
> $ /opt/openssl/1.1.0/bin/openssl ciphers -V CHACHA20
Ok so 'documented' by openssl directly, nothing Postfix specific.
> 0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY
On Tue, Aug 01, 2017 at 01:59:54PM -0700, robg...@nospammail.net wrote:
> > I strongly recommend against
> > listing individual explicit cipher names. Later there will be
> > better key exchange algorithms, better hashes, ...
>
> Yeah I noticed you used just 'CHACHA20', which I guess is the grou
Hi, I was curious if there are any plans for postfix to eventually
support SMTP connection reuse with STARTTLS.
We were using postfix to deliver bulk mail (email newsletters) to a mail
relay. When TLS was disabled, Postfix was able to open up multiple
connections to the relay and reuse these
Here's a related recent thread
http://postfix.1071664.n5.nabble.com/postscreen-dnsbl-AND-smtpd-recipient-restrictions-rbl-tt91307.html#none
>-Original Message-
>From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
>On Behalf Of Alex
>Sent: Tuesday, August 01,
> Therefore, after "CHACHA20:-CHACHA20" the CHACHA20 ciphers are at
> the top of the enabled+unselected cipher stack. And then after
> "aNULL:-aNULL" the "aNULL" ciphers are at the top of the stack.
That's what I it took. I was thinking of it in a literal order, not
necessarily a pop'd/push'd s
Hi,
I'm using postfix-3.1.4 on fedora. I've just noticed I've configured
both postscreen to use spamhaus and other RBLs as well as have
configured the reject_rhsbl_* options. Is this duplicative and
unnecessary?
I've posted what I think are the relevant pieces in hopes someone
could review and cla
On Tue, Aug 01, 2017 at 11:50:48AM -0700, robg...@nospammail.net wrote:
> > the right way to do it is:
> > tls_high_cipherlist = CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:@STRENGTH
> > tls_medium_cipherlist =
> > CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH
> > This leaves the existin
On Tue, Aug 1, 2017, at 10:55 AM, Viktor Dukhovni wrote:
> listed first, pending any other directives that change the order.
Ok, that 'pending others' part was what I wasn't getting.
> > Well I have to tweak a bit anyway. I need to get ChaCha20 working. And
> > I intend to know about it if only
Since this is socks proxy and not vpn you could redirect postfix traffic
with iptables to the port your socks proxy listens. Plenty examples on
google.
On Aug 1, 2017 19:23, "Yubin Ruan" wrote:
> 2017-08-01 22:54 GMT+08:00 Tom Hendrikx :
> >
> >
> > On 01-08-17 16:46, Wietse Venema wrote:
> >> Y
On Mon, Jul 31, 2017 at 03:19:29PM -0700, robg...@nospammail.net wrote:
> > (Note that's "aNULL:-aNULL:..." not "aNULL:!aNULL:...").
>
> Yeah noticed that. Not clear what the diff is yet, but sticking with the
> "aNULL:-aNULL" for this.
The difference is rather large. The OpenSSL cipherlist
You don't know local IP except that it will be in that block (cidr). In
practice, my first VPN instance will use 10.8.0.6. I don't recall what is used
when I run two VPNs.
But I get your point.
Original Message
From: wie...@porcupine.org
Sent: August 1, 2017 7:46 AM
To: postfix-users@post
2017-08-02 0:21 GMT+08:00 Yubin Ruan :
> 2017-08-01 22:54 GMT+08:00 Tom Hendrikx :
>>
>>
>> On 01-08-17 16:46, Wietse Venema wrote:
>>> Yubin Ruan:
Can anyone tell me how to point postfix to a VPN connection? I have
setup a VPN listening at background on my Ubuntu and I want to point
2017-08-01 22:54 GMT+08:00 Tom Hendrikx :
>
>
> On 01-08-17 16:46, Wietse Venema wrote:
>> Yubin Ruan:
>>> Can anyone tell me how to point postfix to a VPN connection? I have
>>> setup a VPN listening at background on my Ubuntu and I want to point
>>> postfix to that listening port whenever postfix
Gary Sellani skrev den 2017-08-01 14:31:
Could the host be something like 10.8.0.0/24?
make a hostname with multiple A//MX
to do this one could simply add ip-addr to /etc/hosts with the hostname
wanted for the lan of rfc1918 ips
then change relayhost to
relayhost = smtp::25
postfix wi
On 01-08-17 16:46, Wietse Venema wrote:
> Yubin Ruan:
>> Can anyone tell me how to point postfix to a VPN connection? I have
>> setup a VPN listening at background on my Ubuntu and I want to point
>> postfix to that listening port whenever postfix try to connect to the
>> internet.
>
> Wietse:
>
Yubin Ruan:
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
Wietse:
> You specify
> /etc/postfix/main.cf:
> relayhost
Could the host be something like 10.8.0.0/24?
Original Message
From: wie...@porcupine.org
Sent: August 1, 2017 4:01 AM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Specify VPN for postfix
Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN
Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
You specify
/etc/postfix/main.cf:
relayhost = smtp
Easiest case if the default route for the postfix server points to the vpn
tunnel.
If def gw does not point to vpn then you could use nat rules on vpn server to
replace the src address with the vpn servers vpn address.
If NAT is not an option then you will have to setup a policy based routing
Am 01.08.2017 um 06:07 schrieb Yubin Ruan:
> Hi,
> Can anyone tell me how to point postfix to a VPN connection? I have
> setup a VPN listening at background on my Ubuntu and I want to point
> postfix to that listening port whenever postfix try to connect to the
> internet.
Hi,
read description o
28 matches
Mail list logo
