On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote:
> > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384;
> >
> > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers,
> > which are fine to use.
Viktor Dukhovni via Postfix-users wrote in
:
|On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote:
|
|> i still use the
|>
|> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
|> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
|
|I don't re
Am 2024-02-29 13:46, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
> What do you consider weak?
All of the anonymous Diffie-Hellman suites with an "F" score. How can
eliminate the following:
Who's assigning the "F" scores?
Nma
Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via
Postfix-users wrote:
# grep tls main.cf | grep -vE '^#'
smtp_tls_security_level = encrypt
smtpd_tls_ask_ccert = yes
smtpd_tls_CApath = $smtp_tls_CApath
Not gen
On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote:
> i still use the
>
> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
I don't recommend cargo-culting random cipher lists.
> smtpd_tls_mand
postfix-users@postfix.org wrote in
:
|On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
|
|> Sorry, context is important. This server needs to pass a Payment Card
|> Industry (PCI) compliance scan. Their definition of weak: "key lengths of
|> less than 112 bits, or else use th
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
> Sorry, context is important. This server needs to pass a Payment Card
> Industry (PCI) compliance scan. Their definition of weak: "key lengths of
> less than 112 bits, or else use the 3DES encryption suite". Opportunistic
> TLS is
> -Original Message-
> From: Viktor Dukhovni via Postfix-users
> Sent: Wednesday, February 28, 2024 8:46 PM
> To: postfix-users@postfix.org
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> On Wed, Feb 28, 2024 at
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users
wrote:
> # grep tls main.cf | grep -vE '^#'
> smtp_tls_security_level = encrypt
> smtpd_tls_ask_ccert = yes
> smtpd_tls_CApath = $smtp_tls_CApath
Not generally applicable.
> smtp_tls_mandatory_protocols = !SSLv2 ,
Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users:
Would someone please describe the configuration settings needed to
support
TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in
my
That depends on your definition of "weak".
configuration
On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users
wrote:
> Would someone please describe the configuration settings needed to support
> TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> configuration files:
This is not the
> -Original Message-
> From: Wietse Venema via Postfix-users
> Sent: Wednesday, February 28, 2024 3:11 PM
> To: Postfix users
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> Scott Hollenbeck via Postfix-users:
> >
Scott Hollenbeck via Postfix-users:
> Right, but that page says "You are strongly encouraged not to change this
> setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when
> "smtpd_tls_protocols = >=TLSv1.2". Doesn't that setting include TLS 1.3?
tls_high_cipherlist and tls_medium_cip
-
> From: Wietse Venema via Postfix-users
> Sent: Wednesday, February 28, 2024 2:38 PM
> To: Postfix users
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> Scott Hollenbeck via Postfix-users:
> > Thanks, here's the outp
h_cipherlist
https://www.postfix.org/postconf.5.html#tls_medium_cipherlist
Wietse
>
> Scott
>
> > -Original Message-
> > From: Wietse Venema via Postfix-users
> > Sent: Wednesday, February 28, 2024 2:18 PM
> > To: Postfix users
> > Subject: [p
users
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
>
> Scott Hollenbeck via Postfix-users:
> > Sorry, I should note that this is for postfix 3.6.4.
> >
>
> postconf -H | grep -E 'high|medium'
>
> Wie
8, 2024 8:55 AM
> > To: postfix-users@postfix.org
> > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> >
> > Would someone please describe the configuration settings needed to support
> > TLS 1.2 and 1.3 with no weak ciphers? Here
Sorry, I should note that this is for postfix 3.6.4.
Scott
> -Original Message-
> From: Scott Hollenbeck via Postfix-users
> Sent: Wednesday, February 28, 2024 8:55 AM
> To: postfix-users@postfix.org
> Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with
Would someone please describe the configuration settings needed to support
TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
configuration files:
main.cf:
smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mysit
On Sun, Nov 08, 2015 at 07:52:27AM -0500, John Allen wrote:
> I ran the ssl-tools tests on my mail server.
> Everything seems to be OK, *BUT* it reports that i am using a weak cipher
> "ECDHE_RSA_WITH_RC4_128_SHA"!
Ignore their report for now. I am tentatively planning to disable
RC4 in default
:23 PM
To: postfix-users@postfix.org
Subject: Re: Weak Ciphers
To be RFC compliant port 25 must accept MTA to MTA connections with no
encryption.
When another server can't connect with encryption, it will try without.
Allowing weak ciphers is better than the result where ciphers are not
To be RFC compliant port 25 must accept MTA to MTA connections with no
encryption.
When another server can't connect with encryption, it will try without.
Allowing weak ciphers is better than the result where ciphers are not
used because the other server only supports older ciphers
I am using Viktors recommendation from august 2015 here on the list,
see:
-> http://thread.gmane.org/gmane.mail.postfix.user/251935/focus=251935
The ssl-tools.net test warns about supported weak ciphers, namely
ECDHE_RSA_WITH_RC4_128_SHA as in your result, checking the mail log of
my small 6 use
Am 08.11.2015 um 13:52 schrieb John Allen:
I ran the ssl-tools tests on my mail server.
Everything seems to be OK, *BUT* it reports that i am using a weak
cipher "ECDHE_RSA_WITH_RC4_128_SHA"!
So I sat down and googled - postfix/dovecot/apache - ciphers
suites/recommendations less than one year
I ran the ssl-tools tests on my mail server.
Everything seems to be OK, *BUT* it reports that i am using a weak
cipher "ECDHE_RSA_WITH_RC4_128_SHA"!
So I sat down and googled - postfix/dovecot/apache - ciphers
suites/recommendations less than one year old.
I gave up at about the fifteenth res
25 matches
Mail list logo