On Tue, Aug 23, 2022 at 09:21:33AM -0700, nate wrote:
> On 2022-08-22 14:46, Viktor Dukhovni wrote:
>
> [..]
>
> > You don't need to sign your own domain in order to secure outbound
> > traffic
> > to domains that others have signed. You just need a local validating
> > resolver such as "unbou
On 2022-08-22 14:46, Viktor Dukhovni wrote:
[..]
You don't need to sign your own domain in order to secure outbound
traffic
to domains that others have signed. You just need a local validating
resolver such as "unbound", with DNSSEC validation turned on.
Ok, yeah I was thinking more of DANE
On Tue, Aug 23, 2022 at 01:13:56AM -0400, Demi Marie Obenour wrote:
> You should definitely deploy DNSSEC, but only after you are able to
> deploy it properly. That means having procedures to avoid nasty DNSSEC-
> related downtime.
That's needlessly scary and non-specific. Rather, it means, tha
On 8/22/22 17:38, nate wrote:
> On 2022-08-22 14:30, Viktor Dukhovni wrote:
>
>> Correct, because there's no point. Mail would be sent whether the
>> certificate is trusted or not, and whether or not the DNS-ID matches
>> expectations.
>>
>> Setting up a TLS policy for each domain that's hosted b
On Mon, Aug 22, 2022 at 02:38:20PM -0700, nate wrote:
> On 2022-08-22 14:30, Viktor Dukhovni wrote:
>
> > Correct, because there's no point. Mail would be sent whether the
> > certificate is trusted or not, and whether or not the DNS-ID matches
> > expectations.
> >
> > Setting up a TLS policy
On 2022-08-22 14:30, Viktor Dukhovni wrote:
Correct, because there's no point. Mail would be sent whether the
certificate is trusted or not, and whether or not the DNS-ID matches
expectations.
Setting up a TLS policy for each domain that's hosted by Microsoft is
unrealistic, and they don't yet
On Mon, Aug 22, 2022 at 02:09:26PM -0700, nate wrote:
> postfix/smtp[7329]: Untrusted TLS connection established to
> example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> I assume it says Untrusted because Postfix do
On 2022-08-22 13:55, Viktor Dukhovni wrote:
This should be the full certificate chain, not just the lead
certificate.
For that, you need at least:
smtp_tls_security_level = may
or perhaps (given a local validating resolver and only loopback
nameserver IPs in /etc/resolv.conf or equival
On Mon, Aug 22, 2022 at 01:41:35PM -0700, nate wrote:
> More recently I formalized this configuration even more in an attempt to
> make my system more up to date, being able to send and receive with
> TLS.
>
> This is my TLS related configuration
> [..]
> smtpd_sasl_tls_security_options = noanony
Dnia 22.08.2022 o godz. 13:41:35 nate pisze:
>
> What I am confused by is Postfix does not appear to be attempting
> to use TLS on any outbound emails. I have tested with Gmail and
> with MS Office 365. Sample tcpdump
Your config contains TLS settings for inbound (stmpd_tls_...) but I don't see
a
Hello list
Been using postfix for over 20 years now, though haven't really spent
much
time on the SSL end of things for it.
A few years ago I setup SSL for inbound mainly for SASL auth sending
that
has worked fine.
More recently I formalized this configuration even more in an attempt to
mak
11 matches
Mail list logo
