On Tue, May 13, 2014 at 04:20:37PM +0100, SW wrote:
> When I send an email (submission) from Thunderbird the logs show:
>
> postfix/submission/smtpd[77780]: Anonymous TLS connection established from
> machine.domain.com[192.168.14.120]: TLSv1.2 with cipher
> ECDHE-ECDSA-AES128-SHA (128/128 bits)
Currently my cipher list looks as follows:
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:
On Tue, May 13, 2014 at 08:22:46AM +0100, SW wrote:
> I'll leave it configured as you have mentioned for now. When OpenSSL 1.0.2
> is released I will change it back to how it should be.
>
> Is there any way I can send/receive a test email that makes use of an ECDSA
> cert? As expected, all the cu
I'll leave it configured as you have mentioned for now. When OpenSSL
1.0.2 is released I will change it back to how it should be.
Is there any way I can send/receive a test email that makes use of an
ECDSA cert? As expected, all the current TLS connections in the logs are
for RSA certs.
On Mon, May 12, 2014 at 09:39:39PM +0100, SW wrote:
> And this seems to have done the trick! Running:
>
> openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp -CAfile
> /usr/local/openssl/certs/AddTrustExternalCARoot.crt
>
> returns:
>
> Verify return code: 0 (ok)
This results in
Ok, so I have tried:
cat mail.domain.com.ecdsa.crt
COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt
/support/certs/sha256/COMODORSADomainValidationSecureServerCA.crt
/support/certs/sha256/COMODORSAAddTrustCA.crt >
mail.domain.com.chained.postfix.ecdsa_2.crt
cat mail.domai
On Mon, May 12, 2014 at 08:44:00PM +0100, SW wrote:
>
> A work-around is to list all the relevant CAs in the chain files
> for both algorithms. The patches that resolve this for 1.0.2 are
> attached for educational purposes only. They are unlikely to apply
> to 1.0.1 or earlier in isolation, an
Hi Viktor
Many thanks for the reply! So I'm not going crazy...image="smiley_beam.gif"/>
You said:
A work-around is to list all the relevant CAs in the chain files
for both algorithms. The patches that resolve this for 1.0.2 are
attached for educational purposes only. They are unlikely to ap
On Mon, May 12, 2014 at 04:43:27PM +0100, SW wrote:
>Certificate chain
> 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
>i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA
Notice that the issuer of t
Yesterday I had my SSL certificate re-issued. I now have two
certificates for the same domain. One has an RSA signature and the new
one I received yesterday uses ECDSA. I enabled the ECDSA certificate in
Dovecot and Apache and those services are working great.
In Postfix I have enabled two cer
10 matches
Mail list logo
