Am 24.12.2013 19:13, schrieb Viktor Dukhovni:
> On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote:
>
>> For me it looked logical that if I have the two params for
>> smtpd_ and there are identical for smtp_ they should be both
>> used with the same cert
>>
>> smtpd_tls_cert_file =
On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote:
> For me it looked logical that if I have the two params for
> smtpd_ and there are identical for smtp_ they should be both
> used with the same cert
>
> smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
> smtpd_tls_key_file
Am 24.12.2013 18:13, schrieb Viktor Dukhovni:
> On Tue, Dec 24, 2013 at 05:45:21PM +0100, li...@rhsoft.net wrote:
>
>> Maybe a good idea to consider using the wildcard-certificate
>> with SHA2 for outgoing messages and order a 3072/SHA1 for the
>> MX and use the wildcard for all other services
>
>
On Tue, Dec 24, 2013 at 05:45:21PM +0100, li...@rhsoft.net wrote:
> Maybe a good idea to consider using the wildcard-certificate
> with SHA2 for outgoing messages and order a 3072/SHA1 for the
> MX and use the wildcard for all other services
You don't need to, and SHOULD NOT, configure a client c
Am 24.12.2013 17:33, schrieb Viktor Dukhovni:
> On Tue, Dec 24, 2013 at 11:16:50AM +0100, li...@rhsoft.net wrote:
>
>>> The symptom would be that your certificate chain is not verifiable,
>>> verify error:num=7:certificate signature failure
>>
>> Thank you for that.
>>
>> Am I right that this do
On Tue, Dec 24, 2013 at 11:16:50AM +0100, li...@rhsoft.net wrote:
> > The symptom would be that your certificate chain is not verifiable,
> > verify error:num=7:certificate signature failure
>
> Thank you for that.
>
> Am I right that this does not break opportunistic TLS at a whole
> for such d
Am 24.12.2013 04:03, schrieb Viktor Dukhovni:
> On Tue, Dec 24, 2013 at 01:16:33AM +0100, li...@rhsoft.net wrote:
>>> Deploying digests beyond SHA1 will cause interoperability problems
>>> with systems that don't yet support the SHA2 family
>>
>> Are you aware of systems / mailservers which would
On Tue, Dec 24, 2013 at 01:16:33AM +0100, li...@rhsoft.net wrote:
> > Deploying digests beyond SHA1 will cause interoperability problems
> > with systems that don't yet support the SHA2 family
>
> Are you aware of systems / mailservers which would have a
> problem with it?
Yes. Any OpenSSL base
nanotek wrote:
>I am receiving a "Certificate Error" when sending mail from K-9 on my
>android. I do not receive any error on my PC client (Thunderbird).
>
>I only have a self-signed public certificate and private key configured
>
>for use by Postfix. Should
Am 23.12.2013 16:09, schrieb Viktor Dukhovni:
> On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote:
>> Still, might be a good time to create my own CA and upgrade to 4096 bit
>> keys/certificates
>
> You can deploy 4096-bit RSA key if it makes you feel more cool,
> but there is little point
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
> >We obviously don't know which is stronger against hypothetical
> >unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
> >free to roll the dice. Against publically known attacks P-256 is
> >both more secure and more computatio
On 24/12/2013 2:09 AM, Viktor Dukhovni wrote:
On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote:
Still, might be a good time to create my own CA and upgrade to 4096 bit
keys/certificates
You can deploy 4096-bit RSA key if it makes you feel more cool,
but there is little point in going b
On Mon, Dec 23, 2013 at 03:09:09PM +, Viktor Dukhovni wrote:
> > using SHA512 algorithms
>
> TLSv1 and TLSv1.2 does not support negotiation of digest algorithms.
I meant "TLSv1 and TLSv1.1", but typed TLSv1.2.
Speaking of TLSv1.2, does anyone have more information about:
https://rt.ope
On Tue, Dec 24, 2013 at 01:29:38AM +1100, nanotek wrote:
> Still, might be a good time to create my own CA and upgrade to 4096 bit
> keys/certificates
You can deploy 4096-bit RSA key if it makes you feel more cool,
but there is little point in going beyond 2048-bit RSA at this
time. The further
nanotek:
> Still, might be a good time to create my own CA and upgrade to 4096 bit
> keys/certificates using SHA512 algorithms and make use of some
> Diffie-Hellman ephemeral elliptic curve parameters for perfect forward
> secrecy. I've read http://www.postfix.org/TLS_README.html -- Postfix
> docum
Original Message
Date: Tuesday, December 24, 2013 12:57:53 AM +1100
From: nanotek
To: postfix-users@postfix.org
Subject: Certificate Error (android client)
I am receiving a "Certificate Error" when sending mail from K-9 on
my android. I do not receive an
I am receiving a "Certificate Error" when sending mail from K-9 on my
android. I do not receive any error on my PC client (Thunderbird).
I only have a self-signed public certificate and private key configured
for use by Postfix. Should I create my own Certificate Authority an
On Wed, 31 Aug 2011 22:21:39 +0200
Tobias Hachmer articulated:
> On Wed, 31 Aug 2011 20:23:26 +0300, gaby wrote:
> > Use Win Xp Sp3,outllok express,the CA certificate is stored in
> > trusted
> > Root Certification Authorities and it is imported with success.
> > In the other device (Nokia Phone)
On Wed, 31 Aug 2011 20:23:26 +0300, gaby wrote:
Use Win Xp Sp3,outllok express,the CA certificate is stored in
trusted
Root Certification Authorities and it is imported with success.
In the other device (Nokia Phone) answer about CA certificate is only
once,then phone email is normal functionaly
-
From: Tobias Hachmer
To: postfix-users@postfix.org
Sent: Wednesday, August 31, 2011 8:00 PM
Subject: Re: CA certificate error in outllook
On Wed, 31 Aug 2011 16:34:08 +0300, gaby wrote:
> I use postfix with TLS optiion.I create certificates in same mod as
> p
On Wed, 31 Aug 2011 16:34:08 +0300, gaby wrote:
I use postfix with TLS optiion.I create certificates in same mod as
postfix documentation.It is Ok,postfix is perfect functionaly
I import CA certificate from PEM format in DER format then was
installed
in
wihttps://www.hachmer.de/?_task=mail&_id
No Problem at all.
Seems you are using an "self-signed" Cert.
You can buy cheap domain validated ssl certs by 59€ / year i mean to
remember.
Then this message wont show up.
Or you Accept the Cert in the mailclient , then this message also is
not shown.
In thunderbird you can do this, dunno how
Hi
I use postfix with TLS optiion.I create certificates in same mod as postfix
documentation.It is Ok,postfix is perfect functionaly
I import CA certificate from PEM format in DER format then was installed in
windows as trusted certificate.
When I send email with outlook,or outlook express,i
2010/1/8 Davy Leon :
> I'm getting this message in my /var/log/maillog everytime postfix delivers a
> message. The message is delivered, but it logs this message. How can I solve
> this?
>
> Jan 6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed
> for smarthost.example.com: nu
Hi folks
I'm getting this message in my /var/log/maillog everytime postfix delivers a
message. The message is delivered, but it logs this message. How can I solve
this?
Thanks
Davy
Jan 6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed
for smarthost.example.com: num=20
25 matches
Mail list logo