On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote:
> > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384;
> >
> > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers,
> > which are fine to use.
Viktor Dukhovni via Postfix-users wrote in
:
|On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote:
|
|> i still use the
|>
|> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
|> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
|
|I don't re
Am 2024-02-29 13:46, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
> What do you consider weak?
All of the anonymous Diffie-Hellman suites with an "F" score. How can
eliminate the following:
Who's assigning the "F" scores?
Nma
Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via
Postfix-users wrote:
# grep tls main.cf | grep -vE '^#'
smtp_tls_security_level = encrypt
smtpd_tls_ask_ccert = yes
smtpd_tls_CApath = $smtp_tls_CApath
Not gen
On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote:
> i still use the
>
> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
I don't recommend cargo-culting random cipher lists.
> smtpd_tls_mand
postfix-users@postfix.org wrote in
:
|On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
|
|> Sorry, context is important. This server needs to pass a Payment Card
|> Industry (PCI) compliance scan. Their definition of weak: "key lengths of
|> less than 112 bits, or else use th
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
> Sorry, context is important. This server needs to pass a Payment Card
> Industry (PCI) compliance scan. Their definition of weak: "key lengths of
> less than 112 bits, or else use the 3DES encryption suite". Opportunistic
> TLS is
> -Original Message-
> From: Viktor Dukhovni via Postfix-users
> Sent: Wednesday, February 28, 2024 8:46 PM
> To: postfix-users@postfix.org
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> On Wed, Feb 28, 2024 at
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users
wrote:
> # grep tls main.cf | grep -vE '^#'
> smtp_tls_security_level = encrypt
> smtpd_tls_ask_ccert = yes
> smtpd_tls_CApath = $smtp_tls_CApath
Not generally applicable.
> smtp_tls_mandatory_protocols = !SSLv2 ,
Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users:
Would someone please describe the configuration settings needed to
support
TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in
my
That depends on your definition of "weak".
configuration files:
main.cf:
smtp
On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users
wrote:
> Would someone please describe the configuration settings needed to support
> TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> configuration files:
This is not the right question. Some
> -Original Message-
> From: Wietse Venema via Postfix-users
> Sent: Wednesday, February 28, 2024 3:11 PM
> To: Postfix users
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> Scott Hollenbeck via Postfix-users:
> >
Scott Hollenbeck via Postfix-users:
> Right, but that page says "You are strongly encouraged not to change this
> setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when
> "smtpd_tls_protocols = >=TLSv1.2". Doesn't that setting include TLS 1.3?
tls_high_cipherlist and tls_medium_cip
-
> From: Wietse Venema via Postfix-users
> Sent: Wednesday, February 28, 2024 2:38 PM
> To: Postfix users
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> Scott Hollenbeck via Postfix-users:
> > Thanks, here's the outp
h_cipherlist
https://www.postfix.org/postconf.5.html#tls_medium_cipherlist
Wietse
>
> Scott
>
> > -Original Message-
> > From: Wietse Venema via Postfix-users
> > Sent: Wednesday, February 28, 2024 2:18 PM
> > To: Postfix users
> > Subject: [p
users
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> Scott Hollenbeck via Postfix-users:
> > Sorry, I should note that this is for postfix 3.6.4.
> >
>
> postconf -H | grep -E 'high|medium'
>
> Wie
Scott Hollenbeck via Postfix-users:
> Sorry, I should note that this is for postfix 3.6.4.
>
postconf -H | grep -E 'high|medium'
Wietse
>
> > -Original Message-
> > From: Scott Hollenbeck via Postfix-users
> > Sent: Wednesday, February 28, 2024 8:55 AM
> > To: postfix-users@pos
Sorry, I should note that this is for postfix 3.6.4.
Scott
> -Original Message-
> From: Scott Hollenbeck via Postfix-users
> Sent: Wednesday, February 28, 2024 8:55 AM
> To: postfix-users@postfix.org
> Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
Ciphers
>
> Wo
18 matches
Mail list logo
