In message <20160122213312.gk25...@mournblade.imrryr.org>
Viktor Dukhovni writes:
> On Fri, Jan 22, 2016 at 03:14:22PM -0500, Curtis Villamizar wrote:
>
> > You might
> > also want to report that the keys they use are less than LOW security
> > but that might be a feature.
>
> You're mistaken
On Fri, Jan 22, 2016 at 03:14:22PM -0500, Curtis Villamizar wrote:
> You might
> also want to report that the keys they use are less than LOW security
> but that might be a feature.
You're mistaken. These ciphers are HIGH.
> Note that none of the ciphers used by comcast.net support even low
> s
In message <20160122041647.gh25...@mournblade.imrryr.org>
Viktor Dukhovni writes:
> On Thu, Jan 21, 2016 at 10:55:19PM -0500, Curtis Villamizar wrote:
>
> > It took a while to get a dumpfile. My tcpdump command only covered a
> > subset of comcast.net mailhosts.
> >
> > This has a failed TLS
On Thu, Jan 21, 2016 at 10:55:19PM -0500, Curtis Villamizar wrote:
> It took a while to get a dumpfile. My tcpdump command only covered a
> subset of comcast.net mailhosts.
>
> This has a failed TLS negotiation and a few packets from a next
> attempt. The log entry below covers this first conne
In message <20160115235712.gn...@mournblade.imrryr.org>
Viktor Dukhovni writes:
>
> On Fri, Jan 15, 2016 at 06:47:38PM -0500, Curtis Villamizar wrote:
>
> > Viktor,
> >
> > If you are still interested below is a tcpdump.
> >
> > If not interested, please just delete.
>
> I was looking for a
In message <20160115235712.gn...@mournblade.imrryr.org>
Viktor Dukhovni writes:
>
> On Fri, Jan 15, 2016 at 06:47:38PM -0500, Curtis Villamizar wrote:
>
> > Viktor,
> >
> > If you are still interested below is a tcpdump.
> >
> > If not interested, please just delete.
>
> I was looking for a
On Fri, Jan 15, 2016 at 06:47:38PM -0500, Curtis Villamizar wrote:
> Viktor,
>
> If you are still interested below is a tcpdump.
>
> If not interested, please just delete.
I was looking for a binary PCAP file, not an ASCII decode. Yes,
it would be good to know whether Comcast was having ECDSA
In message <88031027-d5b8-4f48-947d-294302fac...@dukhovni.org>
Viktor Dukhovni writes:
> Post a PCAP file of a single failed TLS handshake. I know the person
> at comcast in charge of their email transport security. I can probably
> get them to fix it once we nail down the problem, assuming it
In message <20160115051749.gl...@mournblade.imrryr.org>
Viktor Dukhovni writes:
> On Thu, Jan 14, 2016 at 11:54:13PM -0500, Curtis Villamizar wrote:
>
> > > > > > smtp_tls_ciphers = high
> > > > >
> > > > > Usually best to leave this at "medium". This is opportunistic
> > > > > TLS,
On Thu, Jan 14, 2016 at 11:54:13PM -0500, Curtis Villamizar wrote:
> > > > > smtp_tls_ciphers = high
> > > >
> > > > Usually best to leave this at "medium". This is opportunistic
> > > > TLS, and if high fails, you'll send cleartext, which is NOT
> > > > stronger than medium.
> > >
Hi Viktor,
I really appreciate all of the good information you have provided. We
are going in circles in a few places because we have different goals.
See comments inline and at the end of this message.
In message <20160114212645.gk...@mournblade.imrryr.org>
Viktor Dukhovni writes:
>
> On Thu,
In message <20160114200215.gj...@mournblade.imrryr.org>
Viktor Dukhovni writes:
> On Thu, Jan 14, 2016 at 02:07:07PM -0500, Curtis Villamizar wrote:
>
> > In message
> > Curtis Villamizar writes:
> >
> > > btw - I just added "!TLSv1.0" to get only TLSv1.2. I wasn't sure I
> > > could specif
On Thu, Jan 14, 2016 at 03:53:23PM -0500, Curtis Villamizar wrote:
> > > smtp_tls_ciphers = high
> >
> > Usually best to leave this at "medium". This is opportunistic
> > TLS, and if high fails, you'll send cleartext, which is NOT
> > stronger than medium.
>
> That's actually fine
In message <20160114175729.gg...@mournblade.imrryr.org>
Viktor Dukhovni writes:
> On Thu, Jan 14, 2016 at 12:06:43PM -0500, Curtis Villamizar wrote:
>
> > /usr/local/sbin/postconf -c /etc/postfix -n | grep tls
> >
> > smtp_tls_cert_file = /etc/postfix/cert.pem
> > smtp_tls_key_file = /etc/post
On Thu, Jan 14, 2016 at 02:07:07PM -0500, Curtis Villamizar wrote:
> In message
> Curtis Villamizar writes:
>
> > btw - I just added "!TLSv1.0" to get only TLSv1.2. I wasn't sure I
> > could specify !TLSv1.0 so I just tried it.
Who said the correct name is "TLSv1.0"?
http://www.postfix.o
In message
Curtis Villamizar writes:
> btw - I just added "!TLSv1.0" to get only TLSv1.2. I wasn't sure I
> could specify !TLSv1.0 so I just tried it.
>
> Curtis
oops that didn't work.
Curtis
On Thu, Jan 14, 2016 at 12:06:43PM -0500, Curtis Villamizar wrote:
> /usr/local/sbin/postconf -c /etc/postfix -n | grep tls
>
> smtp_tls_cert_file = /etc/postfix/cert.pem
> smtp_tls_key_file = /etc/postfix/key.pem
Usually best to not configure client certificates.
> smtp_tls_ciphers = high
In message <88031027-d5b8-4f48-947d-294302fac...@dukhovni.org>
Viktor Dukhovni writes:
>
> > On Jan 13, 2016, at 8:52 PM, Curtis Villamizar
> > wrote:
> >
> > The logs revealed something about the nature of the problem. A few of
> > these sort of messages were found.
> >
> > Jan 13 17:08:22 m
In message <3pgpvv0nvczj...@spike.porcupine.org>
Wietse Venema writes:
> Curtis Villamizar:
> > What I'd like to do is set smtpd_tls_security_level back to "may" and
> > then somehow set it to "none" if the EHLO domain is comcast.net (oops
> > the secret is out).
> >
> > I see we have smtp_tls_p
> On Jan 13, 2016, at 8:52 PM, Curtis Villamizar
> wrote:
>
> The logs revealed something about the nature of the problem. A few of
> these sort of messages were found.
>
> Jan 13 17:08:22 mta3 postfix/smtpd[15958]:
> warning: TLS library problem:
> error:1408A0C1:SSL
> routines:ssl3_ge
Curtis Villamizar:
> What I'd like to do is set smtpd_tls_security_level back to "may" and
> then somehow set it to "none" if the EHLO domain is comcast.net (oops
> the secret is out).
>
> I see we have smtp_tls_policy_maps, but no smtpd_tls_policy_maps.
Use this to suppress the STARTTLS announce
I turned on opportunistic TLS last summer I think. All was fine for a
long time. btw - I'm currently running the FreeBSD
postfix-current-3.0.20151003,4 port but previously used 2.8.
Somewhat recently someone with a residential cable provider account
complained that he got mail from me but mail f
22 matches
Mail list logo
