On Tue, Aug 23, 2022 at 09:21:33AM -0700, nate wrote:
> On 2022-08-22 14:46, Viktor Dukhovni wrote:
>
> [..]
>
> > You don't need to sign your own domain in order to secure outbound
> > traffic
> > to domains that others have signed. You just need a local validating
> > resolver such as "unbou
On 2022-08-22 14:46, Viktor Dukhovni wrote:
[..]
You don't need to sign your own domain in order to secure outbound
traffic
to domains that others have signed. You just need a local validating
resolver such as "unbound", with DNSSEC validation turned on.
Ok, yeah I was thinking more of DANE
On Tue, Aug 23, 2022 at 01:13:56AM -0400, Demi Marie Obenour wrote:
> You should definitely deploy DNSSEC, but only after you are able to
> deploy it properly. That means having procedures to avoid nasty DNSSEC-
> related downtime.
That's needlessly scary and non-specific. Rather, it means, tha
On 8/22/22 17:38, nate wrote:
> On 2022-08-22 14:30, Viktor Dukhovni wrote:
>
>> Correct, because there's no point. Mail would be sent whether the
>> certificate is trusted or not, and whether or not the DNS-ID matches
>> expectations.
>>
>> Setting up a TLS policy for each domain that's hosted b
On Mon, Aug 22, 2022 at 02:38:20PM -0700, nate wrote:
> On 2022-08-22 14:30, Viktor Dukhovni wrote:
>
> > Correct, because there's no point. Mail would be sent whether the
> > certificate is trusted or not, and whether or not the DNS-ID matches
> > expectations.
> >
> > Setting up a TLS policy
On 2022-08-22 14:30, Viktor Dukhovni wrote:
Correct, because there's no point. Mail would be sent whether the
certificate is trusted or not, and whether or not the DNS-ID matches
expectations.
Setting up a TLS policy for each domain that's hosted by Microsoft is
unrealistic, and they don't yet
On Mon, Aug 22, 2022 at 02:09:26PM -0700, nate wrote:
> postfix/smtp[7329]: Untrusted TLS connection established to
> example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> I assume it says Untrusted because Postfix do
equivalent):
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
thanks Viktor and Jaroslaw!
Things are working fine, I put the cert chain in the main cert
file again, no errors this time. Outbound TLS is working ok now
postfix/smtp[7329]: Untrusted TLS connection established to
On Mon, Aug 22, 2022 at 01:41:35PM -0700, nate wrote:
> More recently I formalized this configuration even more in an attempt to
> make my system more up to date, being able to send and receive with
> TLS.
>
> This is my TLS related configuration
> [..]
> smtpd_sasl_tls_security_options = noanony
Dnia 22.08.2022 o godz. 13:41:35 nate pisze:
>
> What I am confused by is Postfix does not appear to be attempting
> to use TLS on any outbound emails. I have tested with Gmail and
> with MS Office 365. Sample tcpdump
Your config contains TLS settings for inbound (stmpd_tls_...) but I don't see
a
Hello list
Been using postfix for over 20 years now, though haven't really spent
much
time on the SSL end of things for it.
A few years ago I setup SSL for inbound mainly for SASL auth sending
that
has worked fine.
More recently I formalized this configuration even more in an attempt to
mak
Osama Al-Hassani:
> > Which Postfix SMTP client implementation matches server certificates
> > against server IP addresses?
>
> We are using 3.2.0 vanilla.
>
> To clarify, this is when using the "match" attribute with "verify" security
> level. I could rephrase the question as to why anything
DNS names are
ignored in the SANs field?
Thanks,
Osama
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Wietse Venema
Sent: 15 June 2017 21:47
To: Postfix users
Subject: Re: Outbound TLS Certificate Verification
Os
; Osama
>
> -Original Message-
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni
> Sent: 15 June 2017 01:33
> To: postfix-users@postfix.org
> Subject: Re: Outbound TLS Certificate Verification
>
> On W
...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Viktor Dukhovni
Sent: 15 June 2017 01:33
To: postfix-users@postfix.org
Subject: Re: Outbound TLS Certificate Verification
On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote:
> When verifying server certificates on outbo
On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote:
> When verifying server certificates on outbound connections, it seems we
> are unable verify the IP addresses part of the SANs field. We are able to
> verify IPs in CNs.
Email is sent to addresses of the form ,
where the "domain-p
Hi all,
When verifying server certificates on outbound connections, it seems we are
unable verify the IP addresses part of the SANs field. We are able to verify
IPs in CNs.
What is the reasoning behind this behaviour?
Thank you,
Osama
Osama Al-Hassani
Software Engineer
[Telephone] +44 118
Viktor Dukhovni:
> On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote:
>
> > > Creating a separate hash file with following content like below solved my
> > > issue but doing the same for all domain will not be acceptable solution
> > > ...
> >
> > If you want to encrypt mail to all d
On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote:
> > Creating a separate hash file with following content like below solved my
> > issue but doing the same for all domain will not be acceptable solution ...
>
> If you want to encrypt mail to all domains:
>
> /etc/postfix/main.cf
>
Joy:
> Creating a separate hash file with following content like below solved my
> issue but doing the same for all domain will not be acceptable solution ...
If you want to encrypt mail to all domains:
/etc/postfix/main.cf
smtp_tls_security_level = encrypt
But I would not recommend this.
Creating a separate hash file with following content like below solved my
issue but doing the same for all domain will not be acceptable solution ...
In case any other solution exist which i may be missing just let me know.
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
gmail.com encrypt
.
Christian Kivalo:
>
>
> Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy :
> >May i know how can i force postfix to use TLS if remote MTA advertises
> >STARTTLS on port 25 to connect to remote server ?
> >
> >I am already using TLS and connecting from outlook is working
> >perfectly,
> >but when sen
As far as I know Google use STARTTLS on port 587 and not port 25.
Have a look at
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_smtp_authentication_to_isp
to see how to set up relaying via STARTTLS.
A word of caution though. I believe
Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy :
>May i know how can i force postfix to use TLS if remote MTA advertises
>STARTTLS on port 25 to connect to remote server ?
>
>I am already using TLS and connecting from outlook is working
>perfectly,
>but when sending mail to google it now says TLS
May i know how can i force postfix to use TLS if remote MTA advertises
STARTTLS on port 25 to connect to remote server ?
I am already using TLS and connecting from outlook is working perfectly,
but when sending mail to google it now says TLS fail.
25 matches
Mail list logo
