On 15/6/2022 3:08 am, Viktor Dukhovni wrote:
Increasing security is primarily about raising the *ceiling*, and rarely
about raising not floor. When you set the bar too high, instead of
greater security, mail is sent in the clear or not at all.
https://datatracker.ietf.org/doc/html/rfc7435
On Wed, Jun 15, 2022 at 12:33:52AM +0200, Steffen Nurpmeso wrote:
> Viktor Dukhovni wrote in
> :
> |On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> |> On 13/6/2022 4:31 pm, Wietse Venema wrote:
> ...
> |Two comments on your server setup:
> |
> |* The server certificate is
Viktor Dukhovni wrote in
:
|On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
|> On 13/6/2022 4:31 pm, Wietse Venema wrote:
...
|Two comments on your server setup:
|
|* The server certificate is 4096 bit RSA. This is needlessly turgid.
The FreeBSD handbook recommendet 4096 R
On Tue, Jun 14, 2022 at 05:51:17PM -0400, Dan Mahoney wrote:
> Postfix has sane defaults as long as you run a fairly recent version,
> and the developers have clue. Not all apps have sane defaults (for
> example, I could see the need to configure default SSL configs with
> Sendmail).
Even when P
> On Jun 14, 2022, at 5:30 PM, P V Anthony wrote:
>
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
>> The simplest configuration is therefore to just leave the parameter
>> unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I have made s
On Wed, Jun 15, 2022 at 03:00:58AM +0530, P V Anthony wrote:
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
> > The simplest configuration is therefore to just leave the parameter
> > unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I ha
On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
The simplest configuration is therefore to just leave the parameter
unset, the default value will be sensible.
I have just commented out smtpd_tls_dh1024_param_file
I have made so much of mistakes trying to increase security.
Talk about bobo on my
On Wed, Jun 15, 2022 at 01:45:36AM +0530, P V Anthony wrote:
> smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
Also, this appears to be a 4096-bit DH key, again much too turgid. Use
2048 bits instead:
https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
s
On 15/6/2022 2:33 am, Viktor Dukhovni wrote:
Actually, don't. I meant "2".
Ok. I have just changed it to "2".
Thank you for being patient.
P.V.Anthony
On Wed, Jun 15, 2022 at 01:46:49AM +0530, P V Anthony wrote:
> On 15/6/2022 1:32 am, Viktor Dukhovni wrote:
>
> > You may need to temporarily raise the TLS log level to "2".
> >
> > smtpd_tls_loglevel = 2
>
> Just did smtpd_tls_loglevel = 3 just to be sure.
Actually, don't. I meant "2".
On 15/6/2022 2:16 am, Viktor Dukhovni wrote:
Either add the option:
--preferred-chain "ISRG Root X1"
to your cron job running "certbot renew", or else add the following to
configuration under
/etc/letsencrypt/renewal/,
preferred_chain = ISRG Root X1
Wow!!!
Thank you very much fo
On 15/6/2022 2:20 am, Viktor Dukhovni wrote:
For this, in the renewal configuration file:
rsa_key_size = 2048
or on the command-line:
--rsa-key-size=2048
Thank you very very very much for helping. I really do appreciate it
very very very much.
This advice has saved me a lot of
On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
>
> > Two comments on your server setup:
> >
> > * The server certificate is 4096 bit RSA. This is needlessly turgid.
> >The issuing CA is 2048 bits, there is little to gain
On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> > * The "Let's Encrypt CA" chain is configured for compatibility with
> > legacy Android systems that trust the expired "DST" root CA:
> >
> > subject=CN = prometheus.mindmedia.com.sg
> > issuer=C = US, O = Let's Encrypt, CN
On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
Two comments on your server setup:
* The server certificate is 4096 bit RSA. This is needlessly turgid.
The issuing CA is 2048 bits, there is little to gain from a
stronger EE key. Some peer libraries may not support keys of this
On 15/6/2022 1:32 am, Viktor Dukhovni wrote:
You may need to temporarily raise the TLS log level to "2".
smtpd_tls_loglevel = 2
Just did smtpd_tls_loglevel = 3 just to be sure.
This is unfortunately going to apply to all remote clients, not just
"ariba".
Noted.
P.V.Anthony
On 15/6/2022 12:38 am, Wietse Venema wrote:
What is the output from:
# postconf -nf | grep tls | grep -v smtp_
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 3 #
On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming in
On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming i
P V Anthony:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming in.
>
> Here are the logs. Is there any other thi
On 13/6/2022 4:31 pm, Wietse Venema wrote:
Delete the TLS protocol and cipher crap, and see if that solves
the problem.
I am sad to report, even after removing the bad configs, the ariba
emails are still not coming in.
Here are the logs. Is there any other thing I can do?
-- st
On Tue, Jun 14, 2022 at 04:57:49PM +0200, Yves-Marie Le Pors Chauvel wrote:
> ==
> #service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)#
> ===
On 14.06.22 16:57, Yves-Marie Le Pors Chauvel wrote:
Using Postfix 3.5.6, only one IP per postfix instance, I have an issue with
a specific Mailbox Provider limiting to 3 ingoing connections per IP.
==#
service type priva
Yves-Marie Le Pors Chauvel:
> Is there a way to implement a delay between connection closing and
> reopening for a specific transport in Postfix, while still using connection
> reuse ?
No, you can't. When email volume drops, the Postfix SMTP client
will not try to reuse a connection even if there
On 6/10/22 08:55, Gerben Wierda wrote:
>
>> On 10 Jun 2022, at 13:17, Wietse Venema wrote:
>>
>> Wietse Venema:
>>> Gerben Wierda:
> On 10 Jun 2022, at 02:30, Wietse Venema wrote:
>
> Gerben Wierda:
>> What is happening here? (mail is delivered, I?m just curious)
>>
Hi there,
Using Postfix 3.5.6, only one IP per postfix instance, I have an issue with
a specific Mailbox Provider limiting to 3 ingoing connections per IP.
Here is my setup for this Mailbox Provider for outgoing connections to this
provider :
In master.cf :
*#
==
26 matches
Mail list logo
