> This is not a constructive way to disagree.
Indeed. Please accept my apologies for being rude.
And also being wrong. OpenBSDs acme-client clearly has "#define KBITS 4096".
Olaf
On Wed, Oct 05, 2022 at 08:26:26PM +0200, ch...@syscall.de wrote:
> > OpenBSD used a 4096 bits one on top of Let's Encrypt, at least
>
> May I call this plain BS? Thanks
This is not a constructive way to disagree. Can you point at some
evidence to the contrary, or minimally explain what altern
> OpenBSD used a 4096 bits one on top of Let's Encrypt, at least
May I call this plain BS? Thanks
Olaf
Nick Tait wrote in
:
|On 2/10/2022 10:51 pm, Matus UHLAR - fantomas wrote:
|> yes, Let's Encrypt clients generate 4096 keys by default, which is
|> silly because intermediate R3 certificate is only 2048-bit.
|>
|> I configure let's encrypt clients to create 2048 keys.
|
|AFAICT Certbot st
On 2/10/2022 10:51 pm, Matus UHLAR - fantomas wrote:
yes, Let's Encrypt clients generate 4096 keys by default, which is
silly because intermediate R3 certificate is only 2048-bit.
I configure let's encrypt clients to create 2048 keys.
AFAICT Certbot still uses 2048-bit keys by default.
Nick
Le 02/10/2022 à 11:51, Matus UHLAR - fantomas a écrit :
On 10/1/22 16:16, Viktor Dukhovni wrote:
4096-bit RSA certificates mostly work, but are pointless crypto
exhibitionism, waste CPU, can run into client implementation
limitations, and so are not a good idea.
On 01.10.22 17:20, Shawn Heisey
I do have it listening on port 465, hopefully I got the config right
so that does not allow authentication. I think I also disabled TLS
below 1.2 on port 587.
On 10/1/22 20:44, Viktor Dukhovni wrote:
What would be the use of "465" if SASL authentication is not allowed?
It is should be configu
On 10/1/22 16:16, Viktor Dukhovni wrote:
4096-bit RSA certificates mostly work, but are pointless crypto
exhibitionism, waste CPU, can run into client implementation
limitations, and so are not a good idea.
On 01.10.22 17:20, Shawn Heisey wrote:
My cert from letsencrypt is 4096 bit.
yes, Le
On Sat, Oct 01, 2022 at 09:32:49PM +, Eddie Rowe wrote:
> > You should have at least an RSA certificate (2048-bit key, not more), and
> > only
> I do not recall seeing this on the PostFix web site that discusses TLS
> settings as I struggle to setup TLS with our existing wildcard certificate.
On Sat, Oct 01, 2022 at 09:25:17PM -0600, Shawn Heisey wrote:
> I am leaning towards completely disabling smtps and removing the permit
> on the AWS firewall. Since 465 is not an actual standard, I think
> everyone is using 587. I guess if I disable 465 and anyone is using it,
> I'll hear abo
On 10/1/22 20:44, Viktor Dukhovni wrote:
I do have it listening on port 465, hopefully I got the config right
so that does not allow authentication. I think I also disabled TLS
below 1.2 on port 587.
What would be the use of "465" if SASL authentication is not allowed?
It is should be configure
On Sat, Oct 01, 2022 at 10:44:48PM -0400, Viktor Dukhovni wrote:
> > Sep 25 00:07:45 bilbo dovecot: imap-login: Disconnected: Connection
> > closed: SSL_accept() failed: error:14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported protocol (no
> > auth attempts in 3 secs): us
On Sat, Oct 01, 2022 at 08:19:41PM -0600, Shawn Heisey wrote:
> These numbers suggest that most full connections are in fact using TLS.
More precisely, most attempts at STARTTLS succeed. Neither set of
numbers counts connections whether STARTTLS was not even attempted.
> Here is the log from
On 10/1/22 18:04, Wietse Venema wrote:
Look for the 'disconnect' logfile record, it will report if starttls
was used, and if it was successful.
A recent example:
Sep 27 13:06:35 spike postfix/smtpd[78883]: disconnect from
m227-25.mailgun.net[159.135.227.25] ehlo=1 starttls=0/1 commands=1/2
Se
On Sat, Oct 01, 2022 at 05:20:13PM -0600, Shawn Heisey wrote:
> If the way I got the total counts is valid, then most of the connections
> are NOT using TLS. I wonder how many of those are using plaintext
> because my cert is 4096 bit and their encryption library cannot use it.
> I don't know
Shawn Heisey:
> If the way I got the total counts is valid, then most of the connections
> are NOT using TLS.? I wonder how many of those are using plaintext
> because my cert is 4096 bit and their encryption library cannot use it.?
Look for the 'disconnect' logfile record, it will report if st
On 10/1/22 16:16, Viktor Dukhovni wrote:
4096-bit RSA certificates mostly work, but are pointless crypto
exhibitionism, waste CPU, can run into client implementation
limitations, and so are not a good idea.
Interesting. This message is offtopic for the thread.
My cert from letsencrypt is 4096
On Sat, Oct 01, 2022 at 09:32:49PM +, Eddie Rowe wrote:
> > You should have at least an RSA certificate (2048-bit key, not more), and
> > only
>
> I do not recall seeing this on the PostFix web site that discusses TLS
> settings as I struggle to setup TLS with our existing wildcard
> certific
> Lists Nethead skrev den 2022-09-28 19:34:
> >> (P-256 is plenty strong, not P-384 or P-521).
>
> > Yes agree, on my way there now.
>
> typo P-521
Gets confusing when you are so used to seeing things in increments in 128.
https://community.letsencrypt.org/t/does-lets-encrypt-support-secp521r1-
> You should have at least an RSA certificate (2048-bit key, not more), and only
I do not recall seeing this on the PostFix web site that discusses TLS settings
as I struggle to setup TLS with our existing wildcard certificate. Can you
confirm a 4096-bit certificate will not work?
On Wed, Sep 28, 2022 at 07:47:17PM +0200, Benny Pedersen wrote:
> Lists Nethead skrev den 2022-09-28 19:34:
> >> (P-256 is plenty strong, not P-384 or P-521).
>
> > Yes agree, on my way there now.
>
> typo P-521
There was no typo.
--
Viktor.
On 28.09.22 18:38, Lists Nethead wrote:
Hello again postfix-users,
After Viktor gave really helpful advise re SSLv3, now on to the next
problem, dealing with crypto is opening a can of worms, at least where
I am.
We cannot receive messages from a Big Corp, our Postfix MX's responds
with "no
Lists Nethead skrev den 2022-09-28 19:34:
(P-256 is plenty strong, not P-384 or P-521).
Yes agree, on my way there now.
typo P-521
Quoting Viktor Dukhovni :
On Wed, Sep 28, 2022 at 07:22:37PM +0200, Lists Nethead wrote:
> Your server defaults to an ECDSA P-384 certificate, the client may not
> support ECDSA at all, or may not support P-384 (P-256 is a more broadly
> supported choice):
>
> $ posttls-finger -c -lmay -
On Wed, Sep 28, 2022 at 07:22:37PM +0200, Lists Nethead wrote:
> > Your server defaults to an ECDSA P-384 certificate, the client may not
> > support ECDSA at all, or may not support P-384 (P-256 is a more broadly
> > supported choice):
> >
> > $ posttls-finger -c -lmay -Lsummary "[nh1.nethead
Quoting Viktor Dukhovni :
On Wed, Sep 28, 2022 at 06:47:39PM +0200, Lists Nethead wrote:
>> smtpd_tls_protocols = >=TLSv1.2
>
> That's not the default setting.
>
>> smtpd_tls_exclude_ciphers = aNULL
>
> This is only appeases clueless auditors, in reality it is silly.
>
>> From what I can see
On Wed, Sep 28, 2022 at 06:47:39PM +0200, Lists Nethead wrote:
> >> smtpd_tls_protocols = >=TLSv1.2
> >
> > That's not the default setting.
> >
> >> smtpd_tls_exclude_ciphers = aNULL
> >
> > This is only appeases clueless auditors, in reality it is silly.
> >
> >> From what I can see, this is what
Lists Nethead skrev den 2022-09-28 19:00:
Quoting Benny Pedersen :
Lists Nethead skrev den 2022-09-28 18:47:
smtpd_tls_protocols = >=TLSv1.2
Hm, what is the default then?
put an # infront of this line in main.cf, then do a postfix reload
simple ? :=)
If this would enable everything from
Quoting Benny Pedersen :
Lists Nethead skrev den 2022-09-28 18:47:
smtpd_tls_protocols = >=TLSv1.2
Hm, what is the default then?
put an # infront of this line in main.cf, then do a postfix reload
simple ? :=)
If this would enable everything from tls1, no.
Lists Nethead skrev den 2022-09-28 18:47:
smtpd_tls_protocols = >=TLSv1.2
Hm, what is the default then?
put an # infront of this line in main.cf, then do a postfix reload
simple ? :=)
Quoting Viktor Dukhovni :
On Wed, Sep 28, 2022 at 06:38:15PM +0200, Lists Nethead wrote:
Hello again postfix-users,
After Viktor gave really helpful advise re SSLv3, now on to the next
problem, dealing with crypto is opening a can of worms, at least where
I am.
We cannot receive messages f
On Wed, Sep 28, 2022 at 06:38:15PM +0200, Lists Nethead wrote:
>
> Hello again postfix-users,
>
> After Viktor gave really helpful advise re SSLv3, now on to the next
> problem, dealing with crypto is opening a can of worms, at least where
> I am.
>
> We cannot receive messages from a Big Co
Hello again postfix-users,
After Viktor gave really helpful advise re SSLv3, now on to the next
problem, dealing with crypto is opening a can of worms, at least where
I am.
We cannot receive messages from a Big Corp, our Postfix MX's responds
with "no shared cipher". The configuration i
33 matches
Mail list logo
