[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-03-02 Thread Viktor Dukhovni via Postfix-users
On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote: > > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; > > > > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers, > > which are fine to use.

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-03-01 Thread Steffen Nurpmeso via Postfix-users
Viktor Dukhovni via Postfix-users wrote in : |On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: | |> i still use the |> |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 | |I don't re

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-03-01 Thread Alexander Leidinger via Postfix-users
Am 2024-02-29 13:46, schrieb Viktor Dukhovni via Postfix-users: On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > What do you consider weak? All of the anonymous Diffie-Hellman suites with an "F" score. How can eliminate the following: Who's assigning the "F" scores? Nma

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Alexander Leidinger via Postfix-users
Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users: On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: # grep tls main.cf | grep -vE '^#' smtp_tls_security_level = encrypt smtpd_tls_ask_ccert = yes smtpd_tls_CApath = $smtp_tls_CApath Not gen

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Viktor Dukhovni via Postfix-users
On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: > i still use the > > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 I don't recommend cargo-culting random cipher lists. > smtpd_tls_mand

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Steffen Nurpmeso via Postfix-users
postfix-users@postfix.org wrote in : |On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: | |> Sorry, context is important. This server needs to pass a Payment Card |> Industry (PCI) compliance scan. Their definition of weak: "key lengths of |> less than 112 bits, or else use th

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Viktor Dukhovni via Postfix-users
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > Sorry, context is important. This server needs to pass a Payment Card > Industry (PCI) compliance scan. Their definition of weak: "key lengths of > less than 112 bits, or else use the 3DES encryption suite". Opportunistic > TLS is

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Scott Hollenbeck via Postfix-users
> -Original Message- > From: Viktor Dukhovni via Postfix-users > Sent: Wednesday, February 28, 2024 8:46 PM > To: postfix-users@postfix.org > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > On Wed, Feb 28, 2024 at

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Viktor Dukhovni via Postfix-users
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: > # grep tls main.cf | grep -vE '^#' > smtp_tls_security_level = encrypt > smtpd_tls_ask_ccert = yes > smtpd_tls_CApath = $smtp_tls_CApath Not generally applicable. > smtp_tls_mandatory_protocols = !SSLv2 ,

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-29 Thread Alexander Leidinger via Postfix-users
Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users: Would someone please describe the configuration settings needed to support TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my That depends on your definition of "weak". configuration

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Viktor Dukhovni via Postfix-users
On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users wrote: > Would someone please describe the configuration settings needed to support > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > configuration files: This is not the

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Scott Hollenbeck via Postfix-users
> -Original Message- > From: Wietse Venema via Postfix-users > Sent: Wednesday, February 28, 2024 3:11 PM > To: Postfix users > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > Scott Hollenbeck via Postfix-users: > >

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Wietse Venema via Postfix-users
Scott Hollenbeck via Postfix-users: > Right, but that page says "You are strongly encouraged not to change this > setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when > "smtpd_tls_protocols = >=TLSv1.2". Doesn't that setting include TLS 1.3? tls_high_cipherlist and tls_medium_cip

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Scott Hollenbeck via Postfix-users
- > From: Wietse Venema via Postfix-users > Sent: Wednesday, February 28, 2024 2:38 PM > To: Postfix users > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > Scott Hollenbeck via Postfix-users: > > Thanks, here's the outp

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Wietse Venema via Postfix-users
h_cipherlist https://www.postfix.org/postconf.5.html#tls_medium_cipherlist Wietse > > Scott > > > -Original Message- > > From: Wietse Venema via Postfix-users > > Sent: Wednesday, February 28, 2024 2:18 PM > > To: Postfix users > > Subject: [p

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Scott Hollenbeck via Postfix-users
users > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > Scott Hollenbeck via Postfix-users: > > Sorry, I should note that this is for postfix 3.6.4. > > > > postconf -H | grep -E 'high|medium' > > Wie

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Wietse Venema via Postfix-users
8, 2024 8:55 AM > > To: postfix-users@postfix.org > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > > > Would someone please describe the configuration settings needed to support > > TLS 1.2 and 1.3 with no weak ciphers? Here&#

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Scott Hollenbeck via Postfix-users
Sorry, I should note that this is for postfix 3.6.4. Scott > -Original Message- > From: Scott Hollenbeck via Postfix-users > Sent: Wednesday, February 28, 2024 8:55 AM > To: postfix-users@postfix.org > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with

[pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

2024-02-28 Thread Scott Hollenbeck via Postfix-users
Would someone please describe the configuration settings needed to support TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my configuration files: main.cf: smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mysit

Re: Weak Ciphers

2015-11-08 Thread Viktor Dukhovni
On Sun, Nov 08, 2015 at 07:52:27AM -0500, John Allen wrote: > I ran the ssl-tools tests on my mail server. > Everything seems to be OK, *BUT* it reports that i am using a weak cipher > "ECDHE_RSA_WITH_RC4_128_SHA"! Ignore their report for now. I am tentatively planning to disable RC4 in default

Re: Weak Ciphers

2015-11-08 Thread yahoogroups
:23 PM To: postfix-users@postfix.org Subject: Re: Weak Ciphers To be RFC compliant port 25 must accept MTA to MTA connections with no encryption. When another server can't connect with encryption, it will try without. Allowing weak ciphers is better than the result where ciphers are not

Re: Weak Ciphers

2015-11-08 Thread Alice Wonder
To be RFC compliant port 25 must accept MTA to MTA connections with no encryption. When another server can't connect with encryption, it will try without. Allowing weak ciphers is better than the result where ciphers are not used because the other server only supports older ciphers

Re: Weak Ciphers

2015-11-08 Thread Christian Kivalo
I am using Viktors recommendation from august 2015 here on the list, see: -> http://thread.gmane.org/gmane.mail.postfix.user/251935/focus=251935 The ssl-tools.net test warns about supported weak ciphers, namely ECDHE_RSA_WITH_RC4_128_SHA as in your result, checking the mail log of my small 6 use

Re: Weak Ciphers

2015-11-08 Thread Alex JOST
Am 08.11.2015 um 13:52 schrieb John Allen: I ran the ssl-tools tests on my mail server. Everything seems to be OK, *BUT* it reports that i am using a weak cipher "ECDHE_RSA_WITH_RC4_128_SHA"! So I sat down and googled - postfix/dovecot/apache - ciphers suites/recommendations less than one year

Weak Ciphers

2015-11-08 Thread John Allen
I ran the ssl-tools tests on my mail server. Everything seems to be OK, *BUT* it reports that i am using a weak cipher "ECDHE_RSA_WITH_RC4_128_SHA"! So I sat down and googled - postfix/dovecot/apache - ciphers suites/recommendations less than one year old. I gave up at about the fifteenth res