[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On Mon, Jan 22, 2024 at 02:57:16PM -0500, Bill Cole via Postfix-users wrote: > The reason implicit TLS isn't useful for SMTP (MTA-MTA) use is that port 25 > must always be backwards-compatible and so MUST start with a plaintext > server greeting, NOT a TLS handshake. Establishing a new secure port

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On 2024-01-22 at 14:16:31 UTC-0500 (Mon, 22 Jan 2024 16:16:31 -0300) Taco de Wolff via Postfix-users is rumored to have said: Regarding MTA-MTA connections, it seems I didn't fully understand it. I was surprised that port 25 (unencrypted) was used for all mail traffic, but surely (and hopefull

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On 2024-01-22 at 12:42:08 UTC-0500 (Mon, 22 Jan 2024 12:42:08 -0500) Viktor Dukhovni via Postfix-users is rumored to have said: On Mon, Jan 22, 2024 at 11:44:40AM -0300, Taco de Wolff via Postfix-users wrote: [...] Has this something to do with FIPS mode? I don't think so because the ciphers

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

Thanks Viktor for the reply. I think you were correct that mail was blocked only on port IPv4, and it had nothing to do with DANE. I've removed the TLSv1.3 ciphers from the list and TLSv1.3 keeps working. Unfortunately, the >=TLSv1.2 syntax is not supported for my version of Postfix (v3.5.8) and r

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On Mon, Jan 22, 2024 at 11:44:40AM -0300, Taco de Wolff via Postfix-users wrote: > Two questions really, one is that I can't enable TLS1.3 whatever I try. > Running CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm > that TLS1.3 ciphers are available: Protocol version negotiation is

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On 22.01.24 12:34, Taco de Wolff via Postfix-users wrote: Sorry, this was a problem with the system-wide cryptographic policies. I set it to DEFAULT and it works. This is unexpected though, since at least two TLS1.3 ciphersuites are enabled with FIPS:OSPP and TLS1.3 works with Nginx (Dovecot is s

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

value to sha256 >> >> best regards >> Matthias >> >> -- >> *Von: *"Taco de Wolff via Postfix-users" >> *An: *"postfix-users" >> *Gesendet: *Montag, 22. Januar 2024 15:44:40 >> *Betreff: *[pfx]

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

his value to sha256 > > best regards > Matthias > > -- > *Von: *"Taco de Wolff via Postfix-users" > *An: *"postfix-users" > *Gesendet: *Montag, 22. Januar 2024 15:44:40 > *Betreff: *[pfx] Enabling TLS1.3 and allow sending over SMTPS/465 > > Hi

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

Hi, i think this has something todo with smtpd_tls_fingerprint_digest: smtpd_tls_fingerprint_digest = ${{$compatibility_level} An: "postfix-users" Gesendet: Montag, 22. Januar 2024 15:44:40 Betreff: [pfx] Enabling TLS1.3 and allow sending over SMTPS/465 Hi, Two questions r

[pfx] Enabling TLS1.3 and allow sending over SMTPS/465

Hi, Two questions really, one is that I can't enable TLS1.3 whatever I try. Running CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm that TLS1.3 ciphers are available: # openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 # postconf -T compile-version OpenSSL 1.1.1k FIPS 25 Mar 2021

Re: SMTPS 465

On 4/15/2013 6:57 AM, Joan Moreau wrote: > Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. > Where does the inconsistency reside ? You will probably not get the answer from the Postfix mailing list, as this is not a problem with Postfix, and it appears that nobody here is w

Re: SMTPS 465

Am 15.04.2013 14:14, schrieb DTNX Postmaster: > Besides, aren't the odd kernel versions such as 3.5.x, 3.7.x etc. development > kernels? why should they? since kernel 2.6 released around 10 years ago the versioning is no longer this way and 3.0.x is only a renumbering from 2.6.40 https://www.k

Re: SMTPS 465

On Apr 15, 2013, at 13:57, Joan Moreau wrote: > Le 15/04/2013 10:24, Charles Marcus a écrit : > >>> On 2013-04-14 6:30 PM, Joan Moreau wrote: >>> Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at >>> 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the

Re: SMTPS 465

Am 15.04.2013 13:57, schrieb Joan Moreau: > Le 15/04/2013 10:24, Charles Marcus a écrit : > Roll back to the previous kernel. > > Seriously. If you updated the kernel but didn't keep the last known > good/working one, then hopefully you have learned why doing this is such > a good idea and will

Re: SMTPS 465

Le 15/04/2013 10:24, Charles Marcus a écrit : On 2013-04-14 6:30 PM, Joan Moreau wrote: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the

Re: SMTPS 465

On 2013-04-14 6:30 PM, Joan Moreau wrote: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system.

Re: SMTPS 465

Am 2013-04-15 07:27 schrieb Stan Hoeppner: We've been told that this kernel upgrade created the problem. Simply reverting to the previous kernel should fix it. I wager the OP upgraded more than just the kernel, or upgraded the kernel in-place, Russian Roulette style. ;) The lesson learned is th

Re: SMTPS 465

On 4/12/2013 2:03 PM, Joan Moreau wrote: > I am stuck with making my SSL SMTPS (port 465) works, while it was > working fine since ever. > > I upgraded my kernel to 3.8.6 and since then, nothing works :( On 4/14/2013 5:24 PM, Viktor Dukhovni wrote: > On Sun, Apr 14, 2013 at 10:21:58PM +, Joan

Re: SMTPS 465

Am 15.04.2013 00:30, schrieb Joan Moreau: > Le 14/04/2013 22:24, Viktor Dukhovni a écrit : > >> On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: >> >> However, how can postfix NOT use the only openssl library ? or fail to have >> SHA2 when loading the .so ? >> >> Find a less broken

Re: SMTPS 465

Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used,

Re: SMTPS 465

On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: > However, how can postfix NOT use the only openssl library ? or fail to > have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not

Re: SMTPS 465

Le 14/04/2013 22:08, Joan Moreau a écrit : > Le 14/04/2013 22:02, Viktor Dukhovni a écrit : > > On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: > Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, > OpenSSL inter-operates with itself selecting a TLSv1.2

Re: SMTPS 465

On Sun, Apr 14, 2013 at 10:08:52PM +, Joan Moreau wrote: > #define OpenSSL_add_ssl_algorithms() SSL_library_init() > > which adds all libcrypto digests. > > Same : in /usr/include/openssl/ssl.h, I have : > > #define OpenSSL_add_ssl_algorithms() SSL_library_init() > #define SSLeay_add_ssl_a

Re: SMTPS 465

Le 14/04/2013 22:02, Viktor Dukhovni a écrit : > On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: > Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, > OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: > (sleep 2; printf "%srn"

Re: SMTPS 465

On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: > > Protocol : TLSv1.2 > > Cipher: ECDHE-RSA-AES256-GCM-SHA384 > > This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 > ciphersuite. Now try: > > (sleep 2; printf "%s\r\n" QUIT) | > openssl s_cl

Re: SMTPS 465

Le 14/04/2013 21:21, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 08:49:11PM +, Joan Moreau wrote: $ openssl s_client -state -connect 127.0.0.1:12345 2>&1 | tee client.out Ok, here it is below Please also report "openssl version -a". Here : OpenSSL 1.0.1e 11 Feb 2013 built on: Sun

Re: SMTPS 465

On Sun, Apr 14, 2013 at 08:49:11PM +, Joan Moreau wrote: > >$ openssl s_client -state -connect 127.0.0.1:12345 2>&1 | tee client.out > > Ok, here it is below > Please also report "openssl version -a". > client.out : > > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server publi

Re: SMTPS 465

Le 14/04/2013 19:46, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 06:31:48PM +, Joan Moreau wrote: Ok, I have now proper install of postfix / openssl / cyrsus / etc... I still get : 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: TLS library problem: 12926:err

Re: SMTPS 465

On Sun, Apr 14, 2013 at 06:31:48PM +, Joan Moreau wrote: > Ok, I have now proper install of postfix / openssl / cyrsus / etc... > > I still get : > > 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: > TLS library problem: 12926:error:1409D08A:SSL > routines:SSL3_SETUP

Re: SMTPS 465

Le 14/04/2013 17:45, Viktor Dukhovni a écrit : > On Sun, Apr 14, 2013 at 07:33:21PM +0200, Reindl Harald wrote: > Am 14.04.2013 19:24, schrieb Viktor Dukhovni: On Sun, Apr 14, 2013 at > 07:22:28PM +0200, Reindl Harald wrote: -UHAS_IPV6 -DUSE_TLS > -I/usr/include/mysql/ -I/usr/include/sasl ' '

Re: SMTPS 465

On Sun, Apr 14, 2013 at 07:33:21PM +0200, Reindl Harald wrote: > Am 14.04.2013 19:24, schrieb Viktor Dukhovni: > > On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: > > > >>> -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' > >>> 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlcli

Re: SMTPS 465

Am 14.04.2013 19:24, schrieb Viktor Dukhovni: > On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: > >>> -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' >>> 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl >>> -lcrypto -lz -lm -lpcre -lsasl2' >> >> i am missing here t

Re: SMTPS 465

Le 14/04/2013 17:21, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 03:57:07PM +, Joan Moreau wrote: Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix "makefiles". make -f Makefile.init makefiles 'CCARGS=-DHAS_PCR

Re: SMTPS 465

On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: > > -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' > > 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl > > -lcrypto -lz -lm -lpcre -lsasl2' > > i am missing here the path to openssl > below the ARGS from my fedora-rp

Re: SMTPS 465

Am 14.04.2013 17:57, schrieb Joan Moreau: > Le 14/04/2013 15:25, Viktor Dukhovni a écrit : > >> On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote: >> >> [ You're using a mail client, whose plain-text response does not properly >> "quote" material you're replying to. When posting to thi

Re: SMTPS 465

On Sun, Apr 14, 2013 at 03:57:07PM +, Joan Moreau wrote: > >Done right, this is sufficient. Your compiler settings must > >be wrong. Post the exact command you use the create the > >Postfix "makefiles". > > make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL > -DUSE_SASL_AUTH -DUSE

Re: SMTPS 465

Le 14/04/2013 15:25, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote: [ You're using a mail client, whose plain-text response does not properly "quote" material you're replying to. When posting to this list please use a non-HTML client that gets the plain

Re: SMTPS 465

On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote: [ You're using a mail client, whose plain-text response does not properly "quote" material you're replying to. When posting to this list please use a non-HTML client that gets the plain-text message right. ] > Ok, I tried > > 1 -

Re: SMTPS 465

Le 13/04/2013 16:27, Viktor Dukhovni a écrit : > On Sat, Apr 13, 2013 at 03:40:59PM +0200, mouss wrote: > 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS > library problem: 12238:error:1409D08A:SSL > routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:

Re: SMTPS 465

Le 13/04/2013 13:40, mouss a écrit : > Le 12/04/2013 23:05, Joan Moreau a écrit : > Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is > sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server > postfix/smtpd[12238]: warning: TLS library problem: 12238:error:140

Re: SMTPS 465

On Sat, Apr 13, 2013 at 03:40:59PM +0200, mouss wrote: > >> 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: > >> warning: TLS library problem: 12238:error:1409D08A:SSL > >> routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: > >> > >> This suggests your TLS library

Re: SMTPS 465

Le 12/04/2013 23:05, Joan Moreau a écrit : > >> Please don't top-post. > > I do not understand > > >> smtpd_tls_loglevel = 1 is sufficient for debugging. > > ok > > >> 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: >> warning: TLS library problem: 12238:error:1409D08A:SSL >> routines

Re: SMTPS 465

Am 13.04.2013 12:43, schrieb Joan Moreau: > This lead to a error 404. > Maybe can you rather explain how "toppost" would solve the SSL problem? you should post your reply BELOW the quote to make a thread readable by people which may come later to it and they may ignore it if it is unreadable for

Re: SMTPS 465

This lead to a error 404. Maybe can you rather explain how "toppost" would solve the SSL problem ? Thank in advance joan Le 12/04/2013 22:14, Quanah Gibson-Mount a écrit : > --On Friday, April 12, 2013 9:05 PM + Joan Moreau > wrote: > Please don't top-post. I do not understand

Re: SMTPS 465

yes, I kind of agree with you, however, would it be with SSL or STARTTLS, I get the same error (which did not appear before I upgraded my kernel) What could be the solution ? Le 12/04/2013 22:50, b...@bitrate.net a écrit : > On Apr 12, 2013, at 15.25, Joan Moreau wrote: > >> Hi, I am stuc

Re: SMTPS 465

On Apr 13, 2013, at 00:50, b...@bitrate.net wrote: > On Apr 12, 2013, at 15.25, Joan Moreau wrote: > >> Hi, >> >> I am stuck with making my SSL SMTPS (port 465) works, while it was working >> fine since ever. > > others have helped with the specifics of your question, so i'll address the > p

Re: SMTPS 465

On Apr 12, 2013, at 15.25, Joan Moreau wrote: > Hi, > > I am stuck with making my SSL SMTPS (port 465) works, while it was working > fine since ever. others have helped with the specifics of your question, so i'll address the philosophical aspect of it :) . while it may take some coordinati

Re: SMTPS 465

--On Friday, April 12, 2013 9:05 PM + Joan Moreau wrote: Please don't top-post. I do not understand --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the l

Re: SMTPS 465

Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423:

Re: SMTPS 465

On 4/12/2013 2:49 PM, Joan Moreau wrote: > Actually, if type > > openssl s_client*-CApath BKQSDQSD* -connect 127.0.0.1:465 > > (Ie. whatever in the CApath field), the connection works fine > > but if not, I get an error. > > > > Putting "log level" at 3 in postfix, I get : Please don't top-

Re: SMTPS 465

Actually, if type openssl s_client -CAPATH BKQSDQSD -connect 127.0.0.1:465 (Ie. whatever in the CApath field), the connection works fine but if not, I get an error. Putting "log level" at 3 in postfix, I get : 2013-04-12T21:49:03.25+02:00 server postfix/smtpd[12238]: initializing th

Re: SMTPS 465

Hi, I need to type server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 to get a "OK" at the end. Is the the cause of the problem ? if yes, how to fix it in 'main.cf" ? CONNECTED(0003) depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify return:1 depth=0 O

Re: SMTPS 465

On 4/12/2013 2:25 PM, Joan Moreau wrote: > Hi, > > I am stuck with making my SSL SMTPS (port 465) works, while it was > working fine since ever. > > I upgraded my kernel to 3.8.6 and since then, nothing works :( > > What happens when you test it? # openssl s_client -connect 127.0.0.1:465 Wh

SMTPS 465

Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. I upgraded my kernel to 3.8.6 and since then, nothing works :( Here my postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_m

SMTPS 465

Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. I upgraded my kernel to 3.8.6 and since then, nothing works :( Here my postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_m