On Thu, May 28, 2015 at 02:09:37PM +0200, DTNX Postmaster wrote:
> > I would love to see postfix smtp client reject connections to my weak
> > Server.
> >
> > And *that* is the point...
>
> Also, remember that SMTP is based on opportunistic encryption, triggered
> by the presence of 'STARTTLS'
On 28 May 2015, at 12:16, A. Schulze wrote:
>> There are several problems with your configuration. Please refer to the
>> mailinglist archive for how to configure Postfix to deal with Logjam.
>> It has been discussed extensively in this thread;
>>
>> http://marc.info/?t=14323933481&r=1&w=2
>
On Thu, May 28, 2015 at 12:21:42PM +0200, A. Schulze wrote:
> >When the server is authenticated, it is not going to send weak DH
> >keys with strong ciphers.
>
> why?
Authenticated servers don't go out of their way to present artificially
weak keys. If they relly want to disclose the session co
Viktor Dukhovni:
Indeed, because such a policy would properly be an OpenSSL feature,
not a Postfix feature. However, the whole attack is largely
irrelevant for SMTP. Unless you're authenticating the server (DANE
or Web PKI) you're subject to MiTM attacks with or without logjam.
correct.
W
DTNX Postmaster:
There are several problems with your configuration. Please refer to the
mailinglist archive for how to configure Postfix to deal with Logjam.
It has been discussed extensively in this thread;
http://marc.info/?t=14323933481&r=1&w=2
I read this as "how do I provide strong
On Thu, May 28, 2015 at 11:38:35AM +0200, A. Schulze wrote:
> The crypto weakness of the month is named "logjam".
> If you could connect to https://dhe512.zmap.io your SSL-Client / Browser
> support weak crypto.
> What does that mean for postfix?
Postfix SMTP servers should disable "export" ciphe
On 28 May 2015, at 11:38, A. Schulze wrote:
> the crypto weakness of the month is named "logjam".
> If you could connect to https://dhe512.zmap.io your SSL-Client / Browser
> support weak crypto.
> What does that mean for postfix?
>
> We setup a postfix smtp server with
>
>smtpd_tls_dh1024
Hello,
the crypto weakness of the month is named "logjam".
If you could connect to https://dhe512.zmap.io your SSL-Client /
Browser support weak crypto.
What does that mean for postfix?
We setup a postfix smtp server with
smtpd_tls_dh1024_param_file = /path/to/dh_512.pem
smtpd_tls_e
