On 2017-04-19 (08:24 MDT), Viktor Dukhovni wrote:
>
> Reasonably current Postfix releases have "smtp_tls_ciphers = medium", which
> already excludes LOW and EXPORT.
Oh, that’s right. Thanks for the reminder.
--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.
> On Apr 19, 2017, at 7:45 AM, Philip Paeps wrote:
>
>>> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
>>
>> I have these, but also LOW, EXPORT, and RC4. Are these not needed?
Reasonably current Postfix releases have "smtp_tls_ciphers = medium", which
already excludes
On 2017-04-19 13:33:13 (+0200), @lbutlr wrote:
On 2017-04-13 (11:21 MDT), Viktor Dukhovni
wrote:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2,
RC5
I have these, but also LOW, EXPORT, and RC4. Are these not needed?
That depends on the versions of Postfix and OpenSSL on
On 2017-04-13 (11:21 MDT), Viktor Dukhovni wrote:
>
> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
I have these, but also LOW, EXPORT, and RC4. Are these not needed?
--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On 2017-04-13 (08:54 MDT), Phil Stracchino wrote:
>
> From today's log only (the rest are compressed):
bzgrep "TLS connection established from.*with cipher” \
/var/log/maillog.{0..14}.bz2 | \
awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
sort | uniq -c | sort -rn
--
Apple broke
Wiadomość napisana przez Viktor Dukhovni w dniu
13.04.2017, o godz. 20:35:
>
>
>> On Apr 13, 2017, at 1:55 PM, Zbyszek Żółkiewski wrote:
>>
>> And as the note that it not make things secure: yes i understand that - but
>> if there is technology that is new and can be used - why not prioritiz
> On Apr 13, 2017, at 1:49 PM, Zbyszek Żółkiewski wrote:
>
> Thanks for the insights,
>
> Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH”
> is a default postfix configuration
Yes, I set that default...
> - and i do not change it - just by adding ECDSA at the beginnin
Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o
godz. 19:46:
>
> How did you test it without RSA? If I try to connect to Google without RSA
> support (aNULL:-aNULL:HIGH:-aRSA:@STRENGTH), it fails to negotiate a cipher
> and the connection drops.
>
> As pointed out though: this rea
_
Zbyszek Żółkiewski
> Wiadomość napisana przez Viktor Dukhovni w dniu
> 13.04.2017, o godz. 19:21:
>
>
>> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski wrote:
>>
>> all looks good except _outgoing_ mail that still uses
>> ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
>> ECDHE-ECDS
> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski wrote:
>
> all looks good except _outgoing_ mail that still uses
> ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
> ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using
> ECDHE-ECDSA-AES256-GCM-SHA384.
>
> so where is problem ? s
> On Apr 13, 2017, at 7:33 AM, Zbyszek Żółkiewski wrote:
>
> Question: postfix 2.11: I have configured both RSA and ECDSA support on the
> server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA
> works great - however ECDSA is _never_ selected as cipher for sending or
>
On 2017-04-13 17:28:44 (+0200), Zbyszek Żółkiewski
wrote:
Wiadomość napisana przez Philip Paeps w dniu
13.04.2017, o godz. 16:04:
On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski
wrote:
Wiadomość napisana przez Philip Paeps w dniu
13.04.2017, o godz. 15:50:
On 2017-04-13 14:53:50 (+0200),
all looks good except _outgoing_ mail that still uses
ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using
ECDHE-ECDSA-AES256-GCM-SHA384.
so where is problem ? settings are:
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smt
On 2017-04-13 08:16:29 (-0600), @lbutlr wrote:
On 2017-04-13 (07:50 MDT), Philip Paeps wrote:
egrep "TLS connection established from.*with cipher" \
/var/log/maillog* | awk \
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
sort | uniq -c | sort -n
Interesting. Ran this over a few d
On 04/13/17 10:16, @lbutlr wrote:
> On 2017-04-13 (07:50 MDT), Philip Paeps wrote:
>>
>> egrep "TLS connection established from.*with cipher" \
>> /var/log/maillog* | awk \
>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
>> sort | uniq -c | sort -n
>
> Interesting. Ran this over a fe
On 2017-04-13 (07:50 MDT), Philip Paeps wrote:
>
> egrep "TLS connection established from.*with cipher" \
> /var/log/maillog* | awk \
> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
> sort | uniq -c | sort -n
Interesting. Ran this over a few days of logs:
5288 TLSv1.2 with cipher EC
On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o
godz. 15:50:
On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Zbyszek Żółkiewski w dniu
13.04.2017, o godz. 13:33:
Question: postfix 2.11:
thanks for the comment. But please not that i am using defaults postfix „high”
settings - my only change is to force ECDSA at the beginning of the cipher
list.
Full list from openssl is:
ciphers 'ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH’
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-E
On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Zbyszek Żółkiewski w dniu
13.04.2017, o godz. 13:33:
Question: postfix 2.11: I have configured both RSA and ECDSA support
on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and
support for ECDSA wor
I think i found solution to this, by modifying default high list to:
tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
server now prefers ECDSA over RSA. Can someone cross-check if that is correct
solution for a problem and not pose any risk?
thanks,
_
Zbyszek Żó
20 matches
Mail list logo
