Hi,
> The OpenSSL library implements a (powerful, but fragile) cipher selection
> language. Postfix uses the OpenSSL cipher selection language with care to
> implement less flexible, but more robust/intuitive cipher "grade" levels
> and selects the grade automatically based on the destination poli
On Tue, Mar 02, 2010 at 04:04:29PM -0500, Alex wrote:
> >> It's not
> >> possible to figure out which ciphers are offered to TLS clients on my
> >> server?
> >
> > It is possible, but you will most likely shoot yourself in the foot if
> > you try to use this information to adjust Postfix settings.
Hi,
>> It's not
>> possible to figure out which ciphers are offered to TLS clients on my
>> server?
>
> It is possible, but you will most likely shoot yourself in the foot if
> you try to use this information to adjust Postfix settings.
>
> The Postfix defaults are chosen carefully, and act a barr
On Tue, Mar 02, 2010 at 02:42:37PM -0500, Alex wrote:
> > Postfix settings are documented in postconf(5). Unless you are an SSL
> > expert who understands OpenSSL source code in detail, you really should
> > not change the default settings, and generally don't need to know what
> > they are.
>
>
Hi,
> Postfix settings are documented in postconf(5). Unless you are an SSL
> expert who understands OpenSSL source code in detail, you really should
> not change the default settings, and generally don't need to know what
> they are.
So is it at OpenSSL compile time that the ciphers would be spe
On Tue, Mar 02, 2010 at 01:15:17PM -0500, Alex wrote:
> > Most unlikely. I am not aware of any legacy versions of Postfix that
> > support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
> > support is sufficiently modern and robust.
>
> I'm not happy saying that it's probably older t
Hi,
> Most unlikely. I am not aware of any legacy versions of Postfix that
> support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
> support is sufficiently modern and robust.
I'm not happy saying that it's probably older than that.
> OpenSSL 1.0.0 will be released shortly, if you
On Mon, Mar 01, 2010 at 11:09:08PM -0500, Alex wrote:
> I have an existing old postfix TLS server set up and working
> successfully. It was created several years ago and has been working
> fine ever since.
You don't have to upgrade Postfix.
> I'm wondering what the benefits would be with
> upgra
On 02.03.2010 06:09, Alex wrote:
> What encryption/cipher/key length, session key options, etc, choices
> should I be making if I were to do this today?
That is dificult to say without knowing what you are trying to protect,
your threat model etc. If in doubt, go with the defaults.
> Under what
Hi,
I have an existing old postfix TLS server set up and working
successfully. It was created several years ago and has been working
fine ever since.I'm wondering what the benefits would be with
upgrading? In other words, I realize I can only support SSLv2, but are
there other security designs and
10 matches
Mail list logo
