Thanks for everyone's help on this.
I have stunnel working now and I look forward to getting the official
Postfix from RHEL (or perhaps CentOS - whatever ClearOS decides to use
as a base distro) some time in the future.
Nick
On 2015-01-19 04:29, Viktor Dukhovni wrote:
On Thu, Jan 15, 2015 a
On Thu, Jan 15, 2015 at 12:53:38PM +, Nick Howitt wrote:
> In the meanwhile as it will probably take ages for RHEL to incorporate your
> patches and upgrade to the latest version (I think I'm on 2.6.6-6 but I'd
> need to check at home) I'll follow your suggestion and look at stunnel.
The new
Thanks for all this attention to my problem.
I would like to give a little history as to perhaps why port 465
authentication is required.
VirginMedia (and NTLWorld, therefore) appear to sub out their e-mail
handling to GMail. All the webmail appears the same but is branded VM. A
few years ag
Viktor Dukhovni:
> As for wrapper mode, I think it should insist on the destinations
> security level being neither disabled nor opportunitic as in the
> revised posttls-finger. Something along the lines of:
>
> + if (state->wrapper_mode
> + && (state->level <= TLS_LEV_NONE
> +
Viktor Dukhovni:
> And of course with "may", we need to avoid any attempt at cleartext
> fallback if we're doing wrapper-mode SMTP.
Again, the client-side wrappermode implementation never speaks
plaintext. It calls smtp_tls_start() upon completion of the TCP
connection.
Wietse
On Thu, Jan 15, 2015 at 03:20:27AM +, Viktor Dukhovni wrote:
> And of course with "may", we need to avoid any attempt at cleartext
> fallback if we're doing wrapper-mode SMTP.
With the previous posttls-finger patch, it was still possible to
attempt both wrapper-mode (-w) and TLS disabled (-l
On Wed, Jan 14, 2015 at 09:39:21PM -0500, Wietse Venema wrote:
> > Not quite sure what the TLS library will do if handed a request to
> > do TLS when the security level happens to be "none". In particular,
> > various TLS-related bits for the session may not be set, and crashes
> > are possible.
Viktor Dukhovni:
> > Also, there is no need for smtp_tls_security_level=encrypt since the
> > client will not send plaintext anyway. Any smtp_tls_security_level
> > that is not "none" will suffice.
>
> Not quite sure what the TLS library will do if handed a request to
> do TLS when the security le
On Thu, Jan 15, 2015 at 12:55:26AM +, Viktor Dukhovni wrote:
> Perverse configurations with wrapper mode and a security level of
> "none" are configuration errors.
As is a security level of "may" which is opportunistic and supports
cleartext and fallback to cleartext.
By the time destination
On Wed, Jan 14, 2015 at 07:33:17PM -0500, Wietse Venema wrote:
> This proof-of-concept version minimizes scar tissue, by patching
> into the existing code path. Things that I might want to change:
>
> - Move the new smtp_start_tls() call + flags twiddling ito a new
> function smtp_smtps() that
Viktor Dukhovni:
> On Wed, Jan 14, 2015 at 06:08:16PM -0500, Wietse Venema wrote:
>
> > > The security level for "smtps" should be at least "encrypt" or
> > > ideally "secure", though "fingerprint" and "dane-only" might also
> > > options. We'd need to rule out "may" so as to avoid plaintext
> >
11 matches
Mail list logo
