[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users: On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: # grep tls main.cf | grep -vE '^#' smtp_tls_security_level = encrypt smtpd_tls_ask_ccert = yes smtpd_tls_CApath = $smtp_tls_CApath Not gen

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: > i still use the > > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 I don't recommend cargo-culting random cipher lists. > smtpd_tls_mand

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

postfix-users@postfix.org wrote in : |On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: | |> Sorry, context is important. This server needs to pass a Payment Card |> Industry (PCI) compliance scan. Their definition of weak: "key lengths of |> less than 112 bits, or else use th

[pfx] Re: postfix check_sender_access and subdomain test

On 28.02.24 21:31, Scott Techlist via Postfix-users wrote: As I understand from your explanation, if I keep my parent_domain_matches_subdomains = smtpd_access_maps Then the preceding dot format is moot/not needed. Only outbound.protection.outlook.com OK I recommend keeping pare

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > Sorry, context is important. This server needs to pass a Payment Card > Industry (PCI) compliance scan. Their definition of weak: "key lengths of > less than 112 bits, or else use the 3DES encryption suite". Opportunistic > TLS is

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

> -Original Message- > From: Viktor Dukhovni via Postfix-users > Sent: Wednesday, February 28, 2024 8:46 PM > To: postfix-users@postfix.org > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: > # grep tls main.cf | grep -vE '^#' > smtp_tls_security_level = encrypt > smtpd_tls_ask_ccert = yes > smtpd_tls_CApath = $smtp_tls_CApath Not generally applicable. > smtp_tls_mandatory_protocols = !SSLv2 ,

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users: Would someone please describe the configuration settings needed to support TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my That depends on your definition of "weak". configuration files: main.cf: smtp