Recent updates to the supported Postfix releases have updated the
default settings of the OpenSSL ciphers used for opportunistic TLS
from "export" to "medium.
If you're not yet using one of the releases from mid July, or
have set non-default values for either of:
smtpd_tls_protocols
smtp
On 2015-08-06 09:08, Viktor Dukhovni wrote:
>
> Recent updates to the supported Postfix releases have updated the
> default settings of the OpenSSL ciphers used for opportunistic TLS
> from "export" to "medium.
>
> If you're not yet using one of the releases from mid July, or
> have set non-defau
On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
> > You should in most cases update main.cf by setting:
> >
> > # Exclude obsolete weak crypto.
> > #
> > smtpd_tls_protocols = !SSLv2, !SSLv3
> > smtpd_tls_ciphers = medium
> > smtp_tls_protocols = !SSLv2, !SSLv3
Viktor Dukhovni wrote:
> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
>> Why medium and not high, while we're at it? What clients would have
>> problems with it?
>
> Because cleartext is not stronger than medium. If you make TLS
> impossible for peers that only support medium, t
Got it.
I have made a small perl script as a service that would only return
reject as a policy (that sould have rendered most of the mailing
impossibble), and postfix was still mailing happily. Since I have
recompiled Postfix from the source, it was out of the question the the
process was faul
On 2015-08-06 13:50, Istvan Prosinger wrote:
Got it.
I have made a small perl script as a service that would only return
reject as a policy (that sould have rendered most of the mailing
impossibble), and postfix was still mailing happily. Since I have
recompiled Postfix from the source, it was ou
Istvan Prosinger:
> On 2015-08-06 13:50, Istvan Prosinger wrote:
> > Got it.
> > I have made a small perl script as a service that would only return
> > reject as a policy (that sould have rendered most of the mailing
> > impossibble), and postfix was still mailing happily. Since I have
> > recompi
Some time ago, I'd cribbed the following postscreen dnsbl weights from an
experienced users' post ... iirc, it was on this list
...
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_sites =
b.barracudacentral.org=127.0.0.2*7
zen.spamhaus.org=127.0.0.[10;1
Once upon a time, PGNd said:
> On quick investigation, @ spamhaus now says
> (http://www.spamhaus.org/news/article/713/) return codes have changed:
Those are dbl response codes, not zen. You are mixing the two up, but
they are very different.
--
Chris Adams
During the most recent upgrade I inadvertently altered owner, group,
and/or permissions in /var/spool/postfix. I've looked for information in all
the README files that seemed applicable but have not found a list of how
/var/spool/postfix subdirectories should be set. Please point me to a doc
tha
>During the most recent upgrade I inadvertently altered owner, group,
> and/or permissions in /var/spool/postfix. I've looked for information in
> all
> the README files that seemed applicable but have not found a list of how
> /var/spool/postfix subdirectories should be set. Please point me t
On Thu, 6 Aug 2015, Michael J Wise wrote:
Needs Group Write.
Michael,
Ah, I should have seen that.
See that little "s"?
That's special.
Yep. I learned that maildrop and public need to be set gid.
It would still be useful to have a complete list of owners, groups, and
perms for the
> On Thu, 6 Aug 2015, Michael J Wise wrote:
>
>> Needs Group Write.
>
> Michael,
>
>Ah, I should have seen that.
>
>> See that little "s"?
>> That's special.
>
>Yep. I learned that maildrop and public need to be set gid.
>
>It would still be useful to have a complete list of owners, gr
On Thu, 6 Aug 2015, Michael J Wise wrote:
This is from a MacOS 10.9 instance, so it's not quite current, and the
user is ... a bit weird, but it should help as a data point. Good luck!
Thanks, Michael.
Rich
On Thu, Aug 06, 2015 at 11:02:46AM -0700, Rich Shepard wrote:
> I want a list of owners, groups, and permissions I can keep here so I can
> repair inadvertent changes during future upgrades.
# postfix set-permissions
Except on Debian systems where it might not work, because the Debian
"postf
On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
> > On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
> >> Why medium and not high, while we're at it? What clients would have
> >> problems with it?
> >
> > Because cleartext is not stronger than medium. If you make T
Rich Shepard:
>During the most recent upgrade I inadvertently altered owner, group,
> and/or permissions in /var/spool/postfix. I've looked for information in all
> the README files that seemed applicable but have not found a list of how
> /var/spool/postfix subdirectories should be set. Please
On Thu, 6 Aug 2015, Viktor Dukhovni wrote:
# postfix set-permissions
Except on Debian systems where it might not work, because the Debian
"postfix-files" file (in $daemon_directory for recent enough
releases) often has more files list than are actually deployed by
Postfix packages.
Viktor,
Wietse Venema:
> Rich Shepard:
> >During the most recent upgrade I inadvertently altered owner, group,
> > and/or permissions in /var/spool/postfix. I've looked for information in all
> > the README files that seemed applicable but have not found a list of how
> > /var/spool/postfix subdirector
Viktor Dukhovni wrote:
> On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
>
>>> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
Why medium and not high, while we're at it? What clients would have
problems with it?
>>>
>>> Because cleartext is not stronger t
Michael Str?der:
> Viktor Dukhovni wrote:
> > On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
> >
> >>> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
> Why medium and not high, while we're at it? What clients would have
> problems with it?
> >>>
> >>> Be
On 06 Aug 2015, at 21:44, Michael Ströder wrote:
>>> simply look whether their system uses STARTTLS or not and won't check
>>> which particular ciphers are used. IMO it might be a good learning effect
>>> for
>>> them if you disable STARTTLS for them.
>>
>> This is wrong. RC4 is not worse than
On Fri, Aug 07, 2015 at 02:55:42AM +0200, DTNX Postmaster wrote:
> For most systems, monitoring the status of their encryption just isn't
> done at all; they use the defaults their device or server came with at
> the time they purchased it, and rarely keep up with the times.
They don't need to.
23 matches
Mail list logo
