Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
On 12/10/18 6:58 PM, Alice Wonder wrote: It is the responsibility of the client to not send if the connection is not secure, if the client wants to guarantee security for those it sends for. Using a reduced cipher lists means there is less illusion of security where it doesn't actually exist

Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
On 12/10/18 6:11 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote: Even in this thread someone pointed out that Debian defaults to 1024-bit RSA. You end up with things like SHA1 still enabled because upstream thought the compatibility mattered more than the security.

Re: SSL not working after unwanted server migration

2018-12-10 Thread Viktor Dukhovni
> On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote: > > Even in this thread someone pointed out that Debian defaults to 1024-bit RSA. > You end up with things like SHA1 still enabled because upstream thought the > compatibility mattered more than the security. > > So yes, I made a typo, and may

Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
On 12/10/18 5:19 PM, Alice Wonder wrote: On 12/10/18 12:25 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ci

Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
On 12/10/18 12:25 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes The cipherlist syntax is wrong,

Re: SSL not working after unwanted server migration

2018-12-10 Thread Andrey Repin
Greetings, Alice Wonder! > This is what I use in dovecot: > ssl_min_protocol = TLSv1.2 > ssl_cipher_list = > EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = yes Don't touch SSL chipherlist unless you 100% know what you are

Re: SSL not working after unwanted server migration

2018-12-10 Thread Robert Chalmers
Marco Post your logs showing the errors. __ Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers On 10 Dec 2018, at 8:25 pm, Viktor Dukhovni wrote: >> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: >> >> ssl_min_protocol = TLSv1.2 >> ssl_cipher_li

Re: SSL not working after unwanted server migration

2018-12-10 Thread Viktor Dukhovni
> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: > > ssl_min_protocol = TLSv1.2 > ssl_cipher_list = > EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = yes The cipherlist syntax is wrong, you're missing a ":" between "!LOW"

RE: SSL not working after unwanted server migration

2018-12-10 Thread Fazzina, Angelo
revention Mass Mailing G Suite/Gmail ang...@uconn.edu University of Connecticut,  ITS, SSG, Server Systems 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of Viktor Dukhovni Sent: Monday, December 10, 2018 10:01 AM To: Postfix users Subject: Re: SSL not

Re: SSL not working after unwanted server migration

2018-12-10 Thread Jim P.
On Mon, 2018-12-10 at 04:22 -0800, Alice Wonder wrote: > ssl_min_protocol = TLSv1.2 > ssl_cipher_list =  > EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4 > :!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = yes Don't forget about ssl_dh_parameters_length, it's default on Deb

Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
On 12/10/18 6:46 AM, Marco Fioretti wrote: Hello Viktor, and all. This is only a partial answer to Viktor last email: Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni ha scritto: -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem -rw-r--r--. 1 root root 1704 Dec 7 11:5

Re: SSL not working after unwanted server migration

2018-12-10 Thread Viktor Dukhovni
> On Dec 10, 2018, at 9:46 AM, Marco Fioretti wrote: > > This afternoon I have urgent family matters to attend, not sure if I > will able to test and report before tomorrow afternoon about all the > other advice I got so far. You can skip all the other advice. You need to post logs, specificall

Re: SSL not working after unwanted server migration

2018-12-10 Thread Marco Fioretti
Hello Viktor, and all. This is only a partial answer to Viktor last email: Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni ha scritto: > > -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem > > -rw-r--r--. 1 root root 1704 Dec 7 11:59 privkey1.pem > > This looks rather o

Re: SSL not working after unwanted server migration

2018-12-10 Thread Viktor Dukhovni
On Mon, Dec 10, 2018 at 01:02:25PM +0100, Marco Fioretti wrote: > I just changed my permission in the same way, except that the files > are in another folder (does it make any difference? It shouldn't > right?), i.e. the same where letsencrypt/certbot put them: > > -r. 1 root root 35

Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
Sorry about the setenforce advice, I didn't see you already had that covered. The path for the certs should not matter as long as the files exist. One thing with dovecot - make sure the PEM file has the cert and the bundle in it. cat certificate.pem ca-bundle.pem > combined.pem Then set ss

Re: SSL not working after unwanted server migration

2018-12-10 Thread Marco Fioretti
Hello Alice, see answers in line Il giorno lun 10 dic 2018 alle ore 12:09 Alice Wonder ha scritto: > > When trouble shooting on systems with SELinux I put it in permissive mode - > setenforce 0 this is already the case on the new VPS (FWIW, I personally share your feelingsabout selinux in gener

Re: SSL not working after unwanted server migration

2018-12-10 Thread Robert Chalmers
Just looking at this again… Do you have in or remember to update…. (note the use of as a marker) dovecot/conf.d/10-ssl.conf ssl_cert = /fullchain.pem ssl_key = /privkey.pem and in postfix/main.cf #TLS parameters smtpd_use_tls=yes smtpd_tls_ciphers = medium smtpd_tls_security_level = may

Re: SSL not working after unwanted server migration

2018-12-10 Thread Alice Wonder
When trouble shooting on systems with SELinux I put it in permissive mode - setenforce 0 Personally I prefer to disable it, it gets in the way too often and so far has never prevented an actual attack on any of my systems, and just when I start to figure things out - they change how it works o

Re: SSL not working after unwanted server migration

2018-12-10 Thread Marco Fioretti
Il giorno lun 10 dic 2018 alle ore 09:14 Robert Chalmers ha scritto: > > Google is refusing access because your ipv6 PTR does not map to your domain. > It’s the common (now) google reverse lookup failing. > ... thanks for the reminder. I know, but had temporarily forgotten due to how that this

Re: SSL not working after unwanted server migration

2018-12-10 Thread Robert Chalmers
Google is refusing access because your ipv6 PTR does not map to your domain. It’s the common (now) google reverse lookup failing. - Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers > On 10 Dec 2018, at 8:08 am, Marco Fioretti wrote: > > Greetings, > > I