Hi all,
Question: postfix 2.11: I have configured both RSA and ECDSA support on the
server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA
works great - however ECDSA is _never_ selected as cipher for sending or
receiving mails.
To check if it is properly configured i hav
I think i found solution to this, by modifying default high list to:
tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
server now prefers ECDSA over RSA. Can someone cross-check if that is correct
solution for a problem and not pose any risk?
thanks,
_
Zbyszek Żó
On 2017-04-13 04:27:09 (+0200), Benny Pedersen wrote:
body only contained € chars
only me that was maked millionare ? :=)
I get surprisingly little spam from Postfix mailing lists.
Philip
--
Philip Paeps
Senior Reality Engineer
Ministry of Information
On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Zbyszek Żółkiewski w dniu
13.04.2017, o godz. 13:33:
Question: postfix 2.11: I have configured both RSA and ECDSA support
on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and
support for ECDSA wor
thanks for the comment. But please not that i am using defaults postfix „high”
settings - my only change is to force ECDSA at the beginning of the cipher
list.
Full list from openssl is:
ciphers 'ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH’
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-E
On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o
godz. 15:50:
On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Zbyszek Żółkiewski w dniu
13.04.2017, o godz. 13:33:
Question: postfix 2.11:
On 2017-04-13 (07:50 MDT), Philip Paeps wrote:
>
> egrep "TLS connection established from.*with cipher" \
> /var/log/maillog* | awk \
> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
> sort | uniq -c | sort -n
Interesting. Ran this over a few days of logs:
5288 TLSv1.2 with cipher EC
On 04/13/17 10:16, @lbutlr wrote:
> On 2017-04-13 (07:50 MDT), Philip Paeps wrote:
>>
>> egrep "TLS connection established from.*with cipher" \
>> /var/log/maillog* | awk \
>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
>> sort | uniq -c | sort -n
>
> Interesting. Ran this over a fe
On 2017-04-13 08:16:29 (-0600), @lbutlr wrote:
On 2017-04-13 (07:50 MDT), Philip Paeps wrote:
egrep "TLS connection established from.*with cipher" \
/var/log/maillog* | awk \
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
sort | uniq -c | sort -n
Interesting. Ran this over a few d
Hi,
On my servers I get this (non-consequential) error every so often:
/var/log/maillog:Apr 12 15:01:00 postfix-test postfix/virtual[4996]: fatal: bad
string length 0 < 1: virtual_mailbox_base =
/var/log/maillog:Apr 12 15:01:01 postfix-test postfix/master[4960]: warning:
process /usr/libexec/pos
all looks good except _outgoing_ mail that still uses
ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using
ECDHE-ECDSA-AES256-GCM-SHA384.
so where is problem ? settings are:
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smt
Julian Kippels:
> On my servers I get this (non-consequential) error every so often:
> /var/log/maillog:Apr 12 15:01:00 postfix-test postfix/virtual[4996]: fatal:
> bad string length 0 < 1: virtual_mailbox_base =
> /var/log/maillog:Apr 12 15:01:01 postfix-test postfix/master[4960]: warning:
> pro
On 2017-04-13 17:28:44 (+0200), Zbyszek Żółkiewski
wrote:
Wiadomość napisana przez Philip Paeps w dniu
13.04.2017, o godz. 16:04:
On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski
wrote:
Wiadomość napisana przez Philip Paeps w dniu
13.04.2017, o godz. 15:50:
On 2017-04-13 14:53:50 (+0200),
> On Apr 13, 2017, at 7:33 AM, Zbyszek Żółkiewski wrote:
>
> Question: postfix 2.11: I have configured both RSA and ECDSA support on the
> server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA
> works great - however ECDSA is _never_ selected as cipher for sending or
>
> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski wrote:
>
> all looks good except _outgoing_ mail that still uses
> ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
> ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using
> ECDHE-ECDSA-AES256-GCM-SHA384.
>
> so where is problem ? s
_
Zbyszek Żółkiewski
> Wiadomość napisana przez Viktor Dukhovni w dniu
> 13.04.2017, o godz. 19:21:
>
>
>> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski wrote:
>>
>> all looks good except _outgoing_ mail that still uses
>> ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
>> ECDHE-ECDS
Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o
godz. 19:46:
>
> How did you test it without RSA? If I try to connect to Google without RSA
> support (aNULL:-aNULL:HIGH:-aRSA:@STRENGTH), it fails to negotiate a cipher
> and the connection drops.
>
> As pointed out though: this rea
> On Apr 13, 2017, at 1:49 PM, Zbyszek Żółkiewski wrote:
>
> Thanks for the insights,
>
> Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH”
> is a default postfix configuration
Yes, I set that default...
> - and i do not change it - just by adding ECDSA at the beginnin
> "Viktor" == Viktor Dukhovni writes:
>> On Apr 10, 2017, at 4:01 PM, John Stoffel wrote:
>>
>> Since I built 2.11.9 by hand, I'm willing to do this hack as well I
>> think. It's a total hack too... and I'm still amazed I'm the only one
>> seeing this. But maybe most people who use Office
Wiadomość napisana przez Viktor Dukhovni w dniu
13.04.2017, o godz. 20:35:
>
>
>> On Apr 13, 2017, at 1:55 PM, Zbyszek Żółkiewski wrote:
>>
>> And as the note that it not make things secure: yes i understand that - but
>> if there is technology that is new and can be used - why not prioritiz
20 matches
Mail list logo
