On 8/9/2015 12:48 PM, Viktor Dukhovni wrote:
> On Sun, Aug 09, 2015 at 12:42:00PM -0400, Mike wrote:
>
>> On this page:
>> http://www.postfix.org/FORWARD_SECRECY_README.html#client_fs
>>
>> There is:
>>
>> Once the parameters are in place, update main.cf as follows:
>>
>> /etc/postfix/main.cf
On Sun, Aug 09, 2015 at 12:42:00PM -0400, Mike wrote:
> On this page:
> http://www.postfix.org/FORWARD_SECRECY_README.html#client_fs
>
> There is:
>
> Once the parameters are in place, update main.cf as follows:
>
> /etc/postfix/main.cf:
> smtpd_tls_dh1024_param_file = ${config_dir
On this page:
http://www.postfix.org/FORWARD_SECRECY_README.html#client_fs
There is:
Once the parameters are in place, update main.cf as follows:
/etc/postfix/main.cf:
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_dire
micah:
> I completely agree, however it seems we do not agree with the matching
> names should be. That is precisely why I write this message. The postfix
> parameter names and documentation should adopt the standardized names
> that openssl is changing to. As it is written now, the postfix TLS
We
rameters and
> documentation.
I completely agree, however it seems we do not agree with the matching
names should be. That is precisely why I write this message. The postfix
parameter names and documentation should adopt the standardized names
that openssl is changing to. As it is written now, t
On Sun, Jan 05, 2014 at 06:31:46PM -0500, micah wrote:
> > Given cipherlist class names:
> >
> > kEECDH - cipher suites that support Ephemeral ECDH key exchange
> > kEDH- cipher suites that support Ephemeral DH key exchange
>
> I'm sorry, but I have no idea what "cipherlist class nam
Hi Viktor,
Thanks for the reply.
Viktor Dukhovni writes:
> On Thu, Jan 02, 2014 at 06:03:40PM -0500, micah wrote:
>
>> I notice that you are using OpenSSL's private terminology (EDH and
>> EECDH) instead of the standard terminology (DHE and ECDHE).
>
> Given cipherlist class names:
>
> k
On Thu, Jan 02, 2014 at 06:03:40PM -0500, micah wrote:
> I notice that you are using OpenSSL's private terminology (EDH and
> EECDH) instead of the standard terminology (DHE and ECDHE).
Given cipherlist class names:
kEECDH - cipher suites that support Ephemeral ECDH key exchange
Wietse Venema writes:
> Postfix has supported forward secrecy for TLS since version 2.2
> when the TLS patch was adopted into Postfix. Things have changed a
> lot since then, both in TLS and in the real world.
>
> Viktor wrote up a FORWARD_SECRECY_README that summarizes the Po
On Mon, Dec 23, 2013 at 09:45:45PM +0100, Andreas Schulze wrote:
> I read up to the bottom. I find the Untrusted/Trusted/Verified explanation
> very useful.
Good.
> But I'm still unsure about what an SMTP client could do
> to change a remote servers state from Trusted to Verified.
If you must-h
Andreas Schulze:
> Am 23.12.2013 13:13 schrieb Wietse Venema:
> > Please check out the updated text at
> > http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html#quick-start
> >
> > This clarifies what is/isn't optional and why one might want to
> > make some change. Only those who w
Am 23.12.2013 13:13 schrieb Wietse Venema:
> Please check out the updated text at
> http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html#quick-start
>
> This clarifies what is/isn't optional and why one might want to
> make some change. Only those who want the gory details should
>
Tom Hendrikx:
> So it doesn't have to be more technical or advanced. There were some
> connections between dots missing in the higher level picture.
Please check out the updated text at
http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html#quick-start
This clarifies what is/isn't op
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 23-12-13 18:40, Wietse Venema wrote:
> Viktor Dukhovni:
>> On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
>>
I am still fixing it for clarity, but it should be accurate.
Feedback is welcome.
>>>
>>> After reading,
>
>> After reading, I'm having some questions.
>
> s/reading/skimming/ :-)
>
>> The document states that forward secrecy is supported by default
>> on recent postfix installs. However, the quick-start still has
>> some settings that apparently need tw
Viktor Dukhovni:
> On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
>
> > > I am still fixing it for clarity, but it should be accurate.
> > > Feedback is welcome.
> > >
> >
> > After reading, I'm having some questions.
>
> s/reading/skimming/ :-)
In this section, the commands tha
On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
> > I am still fixing it for clarity, but it should be accurate.
> > Feedback is welcome.
> >
>
> After reading, I'm having some questions.
s/reading/skimming/ :-)
> The document states that forward
erent ciphers and keys)
> as far as visible from the logged information.
>
> But since forward secrecy is supported by default, what does it help
> to specify these params, and re-generate them once in a while? I've no
Note: greater security against "pre-computation
curve parameters for
>> perfect forward secrecy. I've read
>> http://www.postfix.org/TLS_README.html -- Postfix documentation
>> is exceptional by the way -- are there any guides for DHE?
>
> There is a work-in-progress document on forward secrecy that
> covers both
On 24/12/2013 3:19 AM, Viktor Dukhovni wrote:
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
We obviously don't know which is stronger against hypothetical
unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
free to roll the dice. Against publically known attacks P-256 is
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
> >We obviously don't know which is stronger against hypothetical
> >unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
> >free to roll the dice. Against publically known attacks P-256 is
> >both more secure and more computatio
ading into this as I just upgraded to OpenSSL 1.0.1e
(FreeBSD base system still installs 0.9.8y). I thought v1.x supported
SHA256 cipher suites. Thanks for making me aware, Viktor.
and make use of some
Diffie-Hellman ephemeral elliptic curve parameters for perfect forward
secrecy.
This is ena
On 24/12/2013 1:40 AM, Wietse Venema wrote:
nanotek:
Still, might be a good time to create my own CA and upgrade to 4096 bit
keys/certificates using SHA512 algorithms and make use of some
Diffie-Hellman ephemeral elliptic curve parameters for perfect forward
secrecy. I've read
nanotek:
> Still, might be a good time to create my own CA and upgrade to 4096 bit
> keys/certificates using SHA512 algorithms and make use of some
> Diffie-Hellman ephemeral elliptic curve parameters for perfect forward
> secrecy. I've read http://www.postfix.org/TLS_READM
On Wed, 18 Dec 2013 15:15:34 -0500 (EST)
wie...@porcupine.org (Wietse Venema) wrote:
> Postfix has supported forward secrecy for TLS since version 2.2
> when the TLS patch was adopted into Postfix. Things have changed a
> lot since then, both in TLS and in the real world.
>
> Vi
Postfix has supported forward secrecy for TLS since version 2.2
when the TLS patch was adopted into Postfix. Things have changed a
lot since then, both in TLS and in the real world.
Viktor wrote up a FORWARD_SECRECY_README that summarizes the Postfix
side of things all in one place.
Available
26 matches
Mail list logo
