On 8/9/2015 12:48 PM, Viktor Dukhovni wrote:
> On Sun, Aug 09, 2015 at 12:42:00PM -0400, Mike wrote:
>
>> On this page:
>> http://www.postfix.org/FORWARD_SECRECY_README.html#client_fs
>>
>> There is:
>>
>> Once the parameters are in place, update main.cf as follows:
>>
>> /etc/postfix/main.cf
On Sun, Aug 09, 2015 at 12:42:00PM -0400, Mike wrote:
> On this page:
> http://www.postfix.org/FORWARD_SECRECY_README.html#client_fs
>
> There is:
>
> Once the parameters are in place, update main.cf as follows:
>
> /etc/postfix/main.cf:
> smtpd_tls_dh1024_param_file = ${config_dir
On Mon, Dec 23, 2013 at 09:45:45PM +0100, Andreas Schulze wrote:
> I read up to the bottom. I find the Untrusted/Trusted/Verified explanation
> very useful.
Good.
> But I'm still unsure about what an SMTP client could do
> to change a remote servers state from Trusted to Verified.
If you must-h
Andreas Schulze:
> Am 23.12.2013 13:13 schrieb Wietse Venema:
> > Please check out the updated text at
> > http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html#quick-start
> >
> > This clarifies what is/isn't optional and why one might want to
> > make some change. Only those who w
Am 23.12.2013 13:13 schrieb Wietse Venema:
> Please check out the updated text at
> http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html#quick-start
>
> This clarifies what is/isn't optional and why one might want to
> make some change. Only those who want the gory details should
>
Tom Hendrikx:
> So it doesn't have to be more technical or advanced. There were some
> connections between dots missing in the higher level picture.
Please check out the updated text at
http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html#quick-start
This clarifies what is/isn't op
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 23-12-13 18:40, Wietse Venema wrote:
> Viktor Dukhovni:
>> On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
>>
I am still fixing it for clarity, but it should be accurate.
Feedback is welcome.
>>>
>>> After reading,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 23-12-13 18:30, Viktor Dukhovni wrote:
> On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
>
>>> I am still fixing it for clarity, but it should be accurate.
>>> Feedback is welcome.
>>>
>>
>> After reading, I'm having some questio
Viktor Dukhovni:
> On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
>
> > > I am still fixing it for clarity, but it should be accurate.
> > > Feedback is welcome.
> > >
> >
> > After reading, I'm having some questions.
>
> s/reading/skimming/ :-)
In this section, the commands tha
On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
> > I am still fixing it for clarity, but it should be accurate.
> > Feedback is welcome.
> >
>
> After reading, I'm having some questions.
s/reading/skimming/ :-)
> The document states that forward secrecy is supported by default o
Tom Hendrikx:
> Setting the files (and refreshing them using a cronjob) specified by
> 'smtpd_tls_mumble_param_file' is a bit unclear though. The default for
> these params is empty, and setting them does not really show a
> different behavior in postfix (i.e. using different ciphers and keys)
> as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 23-12-13 15:40, Wietse Venema wrote:
> nanotek:
>> Still, might be a good time to create my own CA and upgrade to
>> 4096 bit keys/certificates using SHA512 algorithms and make use
>> of some Diffie-Hellman ephemeral elliptic curve parameters for
On 24/12/2013 3:19 AM, Viktor Dukhovni wrote:
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
We obviously don't know which is stronger against hypothetical
unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
free to roll the dice. Against publically known attacks P-256 is
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
> >We obviously don't know which is stronger against hypothetical
> >unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
> >free to roll the dice. Against publically known attacks P-256 is
> >both more secure and more computatio
On 24/12/2013 2:09 AM, Viktor Dukhovni wrote:
On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote:
Still, might be a good time to create my own CA and upgrade to 4096 bit
keys/certificates
You can deploy 4096-bit RSA key if it makes you feel more cool,
but there is little point in going b
On 24/12/2013 1:40 AM, Wietse Venema wrote:
nanotek:
Still, might be a good time to create my own CA and upgrade to 4096 bit
keys/certificates using SHA512 algorithms and make use of some
Diffie-Hellman ephemeral elliptic curve parameters for perfect forward
secrecy. I've read http://www.postfix
16 matches
Mail list logo
