On 12/10/18 6:58 PM, Alice Wonder wrote:
It is the responsibility of the client to not send if the connection is
not secure, if the client wants to guarantee security for those it sends
for. Using a reduced cipher lists means there is less illusion of
security where it doesn't actually exist
On 12/10/18 6:11 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote:
Even in this thread someone pointed out that Debian defaults to 1024-bit RSA.
You end up with things like SHA1 still enabled because upstream thought the
compatibility mattered more than the security.
> On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote:
>
> Even in this thread someone pointed out that Debian defaults to 1024-bit RSA.
> You end up with things like SHA1 still enabled because upstream thought the
> compatibility mattered more than the security.
>
> So yes, I made a typo, and may
On 12/10/18 5:19 PM, Alice Wonder wrote:
On 12/10/18 12:25 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
ssl_min_protocol = TLSv1.2
ssl_cipher_list =
EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ci
On 12/10/18 12:25 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
ssl_min_protocol = TLSv1.2
ssl_cipher_list =
EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes
The cipherlist syntax is wrong,
Greetings, Alice Wonder!
> This is what I use in dovecot:
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list =
> EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
> ssl_prefer_server_ciphers = yes
Don't touch SSL chipherlist unless you 100% know what you are
Marco
Post your logs showing the errors.
__
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers
On 10 Dec 2018, at 8:25 pm, Viktor Dukhovni wrote:
>> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
>>
>> ssl_min_protocol = TLSv1.2
>> ssl_cipher_li
> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
>
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list =
> EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
> ssl_prefer_server_ciphers = yes
The cipherlist syntax is wrong, you're missing a ":" between "!LOW"
revention
Mass Mailing
G Suite/Gmail
ang...@uconn.edu
University of Connecticut, ITS, SSG, Server Systems
860-486-9075
-Original Message-
From: owner-postfix-us...@postfix.org On
Behalf Of Viktor Dukhovni
Sent: Monday, December 10, 2018 10:01 AM
To: Postfix users
Subject: Re: SSL not
On Mon, 2018-12-10 at 04:22 -0800, Alice Wonder wrote:
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list =
> EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4
> :!ADH:!LOW@STRENGTH
> ssl_prefer_server_ciphers = yes
Don't forget about ssl_dh_parameters_length, it's default on Deb
On 12/10/18 6:46 AM, Marco Fioretti wrote:
Hello Viktor, and all.
This is only a partial answer to Viktor last email:
Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni
ha scritto:
-r. 1 root root 3546 Dec 7 11:59 fullchain1.pem
-rw-r--r--. 1 root root 1704 Dec 7 11:5
> On Dec 10, 2018, at 9:46 AM, Marco Fioretti wrote:
>
> This afternoon I have urgent family matters to attend, not sure if I
> will able to test and report before tomorrow afternoon about all the
> other advice I got so far.
You can skip all the other advice. You need to post logs, specificall
Hello Viktor, and all.
This is only a partial answer to Viktor last email:
Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni
ha scritto:
> > -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem
> > -rw-r--r--. 1 root root 1704 Dec 7 11:59 privkey1.pem
>
> This looks rather o
On Mon, Dec 10, 2018 at 01:02:25PM +0100, Marco Fioretti wrote:
> I just changed my permission in the same way, except that the files
> are in another folder (does it make any difference? It shouldn't
> right?), i.e. the same where letsencrypt/certbot put them:
>
> -r. 1 root root 35
Sorry about the setenforce advice, I didn't see you already had that
covered.
The path for the certs should not matter as long as the files exist.
One thing with dovecot - make sure the PEM file has the cert and the
bundle in it.
cat certificate.pem ca-bundle.pem > combined.pem
Then set
ss
Hello Alice, see answers in line
Il giorno lun 10 dic 2018 alle ore 12:09 Alice Wonder
ha scritto:
>
> When trouble shooting on systems with SELinux I put it in permissive mode -
> setenforce 0
this is already the case on the new VPS (FWIW, I personally share your
feelingsabout selinux in gener
Just looking at this again…
Do you have in or remember to update…. (note the use of as a
marker)
dovecot/conf.d/10-ssl.conf
ssl_cert = /fullchain.pem
ssl_key = /privkey.pem
and in postfix/main.cf
#TLS parameters
smtpd_use_tls=yes
smtpd_tls_ciphers = medium
smtpd_tls_security_level = may
When trouble shooting on systems with SELinux I put it in permissive mode -
setenforce 0
Personally I prefer to disable it, it gets in the way too often and so
far has never prevented an actual attack on any of my systems, and just
when I start to figure things out - they change how it works o
Il giorno lun 10 dic 2018 alle ore 09:14 Robert Chalmers
ha scritto:
>
> Google is refusing access because your ipv6 PTR does not map to your domain.
> It’s the common (now) google reverse lookup failing.
> ...
thanks for the reminder.
I know, but had temporarily forgotten due to how that this
Google is refusing access because your ipv6 PTR does not map to your domain.
It’s the common (now) google reverse lookup failing.
-
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers
> On 10 Dec 2018, at 8:08 am, Marco Fioretti wrote:
>
> Greetings,
>
> I
20 matches
Mail list logo
