On Tue, May 26, 2015 at 06:21:36AM -0400, Postfix User wrote:
> > > > -o smtpd_tls_dh1024_param_file=$msa_tls_dh1024_param_file
> > >
> > > Is that correct? It doesn't look right.
> >
> > Looks OK to me, provided the RHS variable is set correctly in
> > main.cf.
> warning: /usr/local/etc/postf
On 26 May 2015, at 12:21, Postfix User wrote:
> On Tue, 26 May 2015 08:14:43 +, Viktor Dukhovni stated:
>
>> On Mon, May 25, 2015 at 03:49:09PM -0400, Postfix User wrote:
>>
>>> On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated:
>>>
-o smtpd_tls_dh1024_param_file=$msa_tls_dh1
On Tue, 26 May 2015 08:14:43 +, Viktor Dukhovni stated:
> On Mon, May 25, 2015 at 03:49:09PM -0400, Postfix User wrote:
>
> > On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated:
> >
> > > -o smtpd_tls_dh1024_param_file=$msa_tls_dh1024_param_file
> >
> > Is that correct? It doesn't
On Mon, May 25, 2015 at 03:49:09PM -0400, Postfix User wrote:
> On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated:
>
> > -o smtpd_tls_dh1024_param_file=$msa_tls_dh1024_param_file
>
> Is that correct? It doesn't look right.
Looks OK to me, provided the RHS variable is set correctly in
On Mon, May 25, 2015 at 05:31:31PM +0200, DTNX Postmaster wrote:
> Except that the 'tls_medium_cipherlist' setting defaults to
> 'aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH', and thus leaves
> anonymous ciphers enabled for your MSA.
Which is a feature, not a bug.
> As well as PSK, DSS, SEED,
On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated:
> -o smtpd_tls_dh1024_param_file=$msa_tls_dh1024_param_file
Is that correct? It doesn't look right.
--
Jerry
On 25 May 2015, at 15:52, Viktor Dukhovni wrote:
> On Mon, May 25, 2015 at 02:35:38PM +0200, DTNX Postmaster wrote:
>
>> No, not for submission, where clients will submit their authentication
>> details, allowing them to bypass most of the restrictions that are in
>> place for MTA to MTA commu
On Mon, May 25, 2015 at 02:35:38PM +0200, DTNX Postmaster wrote:
> No, not for submission, where clients will submit their authentication
> details, allowing them to bypass most of the restrictions that are in
> place for MTA to MTA communication.
No, even for the MSA, disable all the deprecate
On 25 May 2015, at 14:35, DTNX Postmaster wrote:
> On 25 May 2015, at 13:23, Viktor Dukhovni wrote:
>
>> On Mon, May 25, 2015 at 10:36:24AM +0200, DTNX Postmaster wrote:
>>
>>> I am talking about the MSA here, Viktor, not MTA to MTA traffic. That's
>>> what the previous poster was asking abou
On 25 May 2015, at 13:23, Viktor Dukhovni wrote:
> On Mon, May 25, 2015 at 10:36:24AM +0200, DTNX Postmaster wrote:
>
>> I am talking about the MSA here, Viktor, not MTA to MTA traffic. That's
>> what the previous poster was asking about;
>
> My advice stands. Avoid overly explicit cipher lis
On Mon, May 25, 2015 at 10:36:24AM +0200, DTNX Postmaster wrote:
> I am talking about the MSA here, Viktor, not MTA to MTA traffic. That's
> what the previous poster was asking about;
My advice stands. Avoid overly explicit cipher lists. Go with
broad categories, with some exclusions as necess
On 25 May 2015, at 01:57, Viktor Dukhovni wrote:
> On Sun, May 24, 2015 at 08:00:30PM +0200, DTNX Postmaster wrote:
>
>> Assuming you are talking about the MSA (submission) and not MTA to MTA
>> traffic, you can cover the vast majority of the scenarios with the
>> following cipher selection st
On Sun, May 24, 2015 at 08:00:30PM +0200, DTNX Postmaster wrote:
> Assuming you are talking about the MSA (submission) and not MTA to MTA
> traffic, you can cover the vast majority of the scenarios with the
> following cipher selection string;
>
> EECDH+AES128:EECDH+AES256:EDH+AES128+SHA:RSA+AE
On 24 May 2015, at 18:09, CSS wrote:
>>> I thought I saw that listed on this forum earlier this year.
>>
>> Don't believe all the nonsense posted on the Internet.
>
> Related to the previous paragraph, I know that when I fiddle with
> SSL settings on a web server, I can easily dig up informatio
On May 24, 2015, at 9:28 AM, Viktor Dukhovni wrote:
> On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote:
>
>>> smtpd_tls_protocols = !SSLv2, !SSLv3
>>> smtp_tls_protocols = !SSLv2, !SSLv3
>>
>> Wouldn't the following be more secure:
>>
>> smtpd_tls_protocols=!SSLv2, !SSLv3,
On Sat, May 23, 2015 at 08:01:15AM -0700, Grant wrote:
> Currently I have the following in main.cf:
>
> smtp_tls_exclude_ciphers = aNULL
> smtpd_tls_exclude_ciphers = aNULL
This is unnecessary.
> According to weakdh.org/sysadmin.html, I should have this:
Some clueless people post cargo-cult no
On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote:
> > smtpd_tls_protocols = !SSLv2, !SSLv3
> > smtp_tls_protocols = !SSLv2, !SSLv3
>
> Wouldn't the following be more secure:
>
> smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1,
On 5/24/2015 5:38 AM, Postfix User wrote:
> On Sat, 23 May 2015 12:13:33 -0500, Noel Jones stated:
>
>> # Avoid obsolete protocol versions
>> #
>> smtpd_tls_protocols = !SSLv2, !SSLv3
>> smtp_tls_protocols = !SSLv2, !SSLv3
>
> Wouldn't the following be more secure:
>
> smtpd_
On Sat, 23 May 2015 12:13:33 -0500, Noel Jones stated:
> # Avoid obsolete protocol versions
> #
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
Wouldn't the following be more secure:
smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_t
On 5/23/2015 10:01 AM, Grant wrote:
> Currently I have the following in main.cf:
>
> smtp_tls_exclude_ciphers = aNULL
> smtpd_tls_exclude_ciphers = aNULL
>
> According to weakdh.org/sysadmin.html, I should have this:
>
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aEC
Currently I have the following in main.cf:
smtp_tls_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = aNULL
According to weakdh.org/sysadmin.html, I should have this:
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-D
21 matches
Mail list logo
