Re: Certificate Error (android client)

2013-12-24 Thread li...@rhsoft.net
Am 24.12.2013 19:13, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote: > >> For me it looked logical that if I have the two params for >> smtpd_ and there are identical for smtp_ they should be both >> used with the same cert >> >> smtpd_tls_cert_file =

Re: Certificate Error (android client)

2013-12-24 Thread Viktor Dukhovni
On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote: > For me it looked logical that if I have the two params for > smtpd_ and there are identical for smtp_ they should be both > used with the same cert > > smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem > smtpd_tls_key_file

Re: Certificate Error (android client)

2013-12-24 Thread li...@rhsoft.net
Am 24.12.2013 18:13, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 05:45:21PM +0100, li...@rhsoft.net wrote: > >> Maybe a good idea to consider using the wildcard-certificate >> with SHA2 for outgoing messages and order a 3072/SHA1 for the >> MX and use the wildcard for all other services > >

Re: Certificate Error (android client)

2013-12-24 Thread Viktor Dukhovni
On Tue, Dec 24, 2013 at 05:45:21PM +0100, li...@rhsoft.net wrote: > Maybe a good idea to consider using the wildcard-certificate > with SHA2 for outgoing messages and order a 3072/SHA1 for the > MX and use the wildcard for all other services You don't need to, and SHOULD NOT, configure a client c

Re: Certificate Error (android client)

2013-12-24 Thread li...@rhsoft.net
Am 24.12.2013 17:33, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 11:16:50AM +0100, li...@rhsoft.net wrote: > >>> The symptom would be that your certificate chain is not verifiable, >>> verify error:num=7:certificate signature failure >> >> Thank you for that. >> >> Am I right that this do

Re: Certificate Error (android client)

2013-12-24 Thread Viktor Dukhovni
On Tue, Dec 24, 2013 at 11:16:50AM +0100, li...@rhsoft.net wrote: > > The symptom would be that your certificate chain is not verifiable, > > verify error:num=7:certificate signature failure > > Thank you for that. > > Am I right that this does not break opportunistic TLS at a whole > for such d

Re: Certificate Error (android client)

2013-12-24 Thread li...@rhsoft.net
Am 24.12.2013 04:03, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 01:16:33AM +0100, li...@rhsoft.net wrote: >>> Deploying digests beyond SHA1 will cause interoperability problems >>> with systems that don't yet support the SHA2 family >> >> Are you aware of systems / mailservers which would

Re: Certificate Error (android client)

2013-12-23 Thread Viktor Dukhovni
On Tue, Dec 24, 2013 at 01:16:33AM +0100, li...@rhsoft.net wrote: > > Deploying digests beyond SHA1 will cause interoperability problems > > with systems that don't yet support the SHA2 family > > Are you aware of systems / mailservers which would have a > problem with it? Yes. Any OpenSSL base

Re: Certificate Error (android client)

2013-12-23 Thread Voytek
nanotek wrote: >I am receiving a "Certificate Error" when sending mail from K-9 on my >android. I do not receive any error on my PC client (Thunderbird). > >I only have a self-signed public certificate and private key configured > >for use by Postfix. Should

Re: Certificate Error (android client)

2013-12-23 Thread li...@rhsoft.net
Am 23.12.2013 16:09, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote: >> Still, might be a good time to create my own CA and upgrade to 4096 bit >> keys/certificates > > You can deploy 4096-bit RSA key if it makes you feel more cool, > but there is little point

Re: Forward secrecy (was: Certificate Error)

2013-12-23 Thread Viktor Dukhovni
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote: > >We obviously don't know which is stronger against hypothetical > >unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel > >free to roll the dice. Against publically known attacks P-256 is > >both more secure and more computatio

RE: Forward secrecy (was: Certificate Error)

2013-12-23 Thread nanotek
On 24/12/2013 2:09 AM, Viktor Dukhovni wrote: On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote: Still, might be a good time to create my own CA and upgrade to 4096 bit keys/certificates You can deploy 4096-bit RSA key if it makes you feel more cool, but there is little point in going b

Re: Certificate Error (android client)

2013-12-23 Thread Viktor Dukhovni
On Mon, Dec 23, 2013 at 03:09:09PM +, Viktor Dukhovni wrote: > > using SHA512 algorithms > > TLSv1 and TLSv1.2 does not support negotiation of digest algorithms. I meant "TLSv1 and TLSv1.1", but typed TLSv1.2. Speaking of TLSv1.2, does anyone have more information about: https://rt.ope

Re: Certificate Error (android client)

2013-12-23 Thread Viktor Dukhovni
On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote: > Still, might be a good time to create my own CA and upgrade to 4096 bit > keys/certificates You can deploy 4096-bit RSA key if it makes you feel more cool, but there is little point in going beyond 2048-bit RSA at this time. The further

Forward secrecy (was: Certificate Error)

2013-12-23 Thread Wietse Venema
nanotek: > Still, might be a good time to create my own CA and upgrade to 4096 bit > keys/certificates using SHA512 algorithms and make use of some > Diffie-Hellman ephemeral elliptic curve parameters for perfect forward > secrecy. I've read http://www.postfix.org/TLS_README.html -- Postfix > docum

Re: Certificate Error (android client)

2013-12-23 Thread nanotek
Original Message Date: Tuesday, December 24, 2013 12:57:53 AM +1100 From: nanotek To: postfix-users@postfix.org Subject: Certificate Error (android client) I am receiving a "Certificate Error" when sending mail from K-9 on my android. I do not receive an

Certificate Error (android client)

2013-12-23 Thread nanotek
I am receiving a "Certificate Error" when sending mail from K-9 on my android. I do not receive any error on my PC client (Thunderbird). I only have a self-signed public certificate and private key configured for use by Postfix. Should I create my own Certificate Authority an

Re: CA certificate error in outllook

2011-08-31 Thread Jerry
On Wed, 31 Aug 2011 22:21:39 +0200 Tobias Hachmer articulated: > On Wed, 31 Aug 2011 20:23:26 +0300, gaby wrote: > > Use Win Xp Sp3,outllok express,the CA certificate is stored in > > trusted > > Root Certification Authorities and it is imported with success. > > In the other device (Nokia Phone)

Re: CA certificate error in outllook

2011-08-31 Thread Tobias Hachmer
On Wed, 31 Aug 2011 20:23:26 +0300, gaby wrote: Use Win Xp Sp3,outllok express,the CA certificate is stored in trusted Root Certification Authorities and it is imported with success. In the other device (Nokia Phone) answer about CA certificate is only once,then phone email is normal functionaly

Re: CA certificate error in outllook

2011-08-31 Thread gaby
- From: Tobias Hachmer To: postfix-users@postfix.org Sent: Wednesday, August 31, 2011 8:00 PM Subject: Re: CA certificate error in outllook On Wed, 31 Aug 2011 16:34:08 +0300, gaby wrote: > I use postfix with TLS optiion.I create certificates in same mod as > p

Re: CA certificate error in outllook

2011-08-31 Thread Tobias Hachmer
On Wed, 31 Aug 2011 16:34:08 +0300, gaby wrote: I use postfix with TLS optiion.I create certificates in same mod as postfix documentation.It is Ok,postfix is perfect functionaly I import CA certificate from PEM format in DER format then was installed in wihttps://www.hachmer.de/?_task=mail&_id

Re: CA certificate error in outllook

2011-08-31 Thread weber
No Problem at all. Seems you are using an "self-signed" Cert. You can buy cheap domain validated ssl certs by 59€ / year i mean to remember. Then this message wont show up. Or you Accept the Cert in the mailclient , then this message also is not shown. In thunderbird you can do this, dunno how

CA certificate error in outllook

2011-08-31 Thread gaby
Hi I use postfix with TLS optiion.I create certificates in same mod as postfix documentation.It is Ok,postfix is perfect functionaly I import CA certificate from PEM format in DER format then was installed in windows as trusted certificate. When I send email with outlook,or outlook express,i

Re: certificate error

2010-01-07 Thread Barney Desmond
2010/1/8 Davy Leon : > I'm getting this message in my /var/log/maillog everytime postfix delivers a > message. The message is delivered, but it logs this message. How can I solve > this? > > Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed > for smarthost.example.com: nu

certificate error

2010-01-07 Thread Davy Leon
Hi folks I'm getting this message in my /var/log/maillog everytime postfix delivers a message. The message is delivered, but it logs this message. How can I solve this? Thanks Davy Jan 6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed for smarthost.example.com: num=20