Greetings,
I had my personal postfix/dovecot server, configured for some of my
own domains, running without problems on a linux VPS. For reasons
totally out of my control, I had to migrate everything to another VPS
two days ago, without notice, (details at the bottom if anybody is
interested...),
Google is refusing access because your ipv6 PTR does not map to your domain.
It’s the common (now) google reverse lookup failing.
-
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers
> On 10 Dec 2018, at 8:08 am, Marco Fioretti wrote:
>
> Greetings,
>
> I
Il giorno lun 10 dic 2018 alle ore 09:14 Robert Chalmers
ha scritto:
>
> Google is refusing access because your ipv6 PTR does not map to your domain.
> It’s the common (now) google reverse lookup failing.
> ...
thanks for the reminder.
I know, but had temporarily forgotten due to how that this
When trouble shooting on systems with SELinux I put it in permissive mode -
setenforce 0
Personally I prefer to disable it, it gets in the way too often and so
far has never prevented an actual attack on any of my systems, and just
when I start to figure things out - they change how it works o
Just looking at this again…
Do you have in or remember to update…. (note the use of as a
marker)
dovecot/conf.d/10-ssl.conf
ssl_cert = /fullchain.pem
ssl_key = /privkey.pem
and in postfix/main.cf
#TLS parameters
smtpd_use_tls=yes
smtpd_tls_ciphers = medium
smtpd_tls_security_level = may
Hello Alice, see answers in line
Il giorno lun 10 dic 2018 alle ore 12:09 Alice Wonder
ha scritto:
>
> When trouble shooting on systems with SELinux I put it in permissive mode -
> setenforce 0
this is already the case on the new VPS (FWIW, I personally share your
feelingsabout selinux in gener
Sorry about the setenforce advice, I didn't see you already had that
covered.
The path for the certs should not matter as long as the files exist.
One thing with dovecot - make sure the PEM file has the cert and the
bundle in it.
cat certificate.pem ca-bundle.pem > combined.pem
Then set
ss
On Mon, Dec 10, 2018 at 01:02:25PM +0100, Marco Fioretti wrote:
> I just changed my permission in the same way, except that the files
> are in another folder (does it make any difference? It shouldn't
> right?), i.e. the same where letsencrypt/certbot put them:
>
> -r. 1 root root 35
Hello Viktor, and all.
This is only a partial answer to Viktor last email:
Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni
ha scritto:
> > -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem
> > -rw-r--r--. 1 root root 1704 Dec 7 11:59 privkey1.pem
>
> This looks rather o
> On Dec 10, 2018, at 9:46 AM, Marco Fioretti wrote:
>
> This afternoon I have urgent family matters to attend, not sure if I
> will able to test and report before tomorrow afternoon about all the
> other advice I got so far.
You can skip all the other advice. You need to post logs, specificall
On 12/10/18 6:46 AM, Marco Fioretti wrote:
Hello Viktor, and all.
This is only a partial answer to Viktor last email:
Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni
ha scritto:
-r. 1 root root 3546 Dec 7 11:59 fullchain1.pem
-rw-r--r--. 1 root root 1704 Dec 7 11:5
On Mon, 2018-12-10 at 04:22 -0800, Alice Wonder wrote:
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list =
> EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4
> :!ADH:!LOW@STRENGTH
> ssl_prefer_server_ciphers = yes
Don't forget about ssl_dh_parameters_length, it's default on Deb
Hi, once you correct your configuration this may help you test it is correct
1. Run this to test connectivity to your server via STARTTLS [Submission in
master.cf]
openssl s_client -starttls smtp -connect your.host.name:587
Typical OUTPUT =
250 DSN
quit
> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
>
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list =
> EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
> ssl_prefer_server_ciphers = yes
The cipherlist syntax is wrong, you're missing a ":" between "!LOW"
Marco
Post your logs showing the errors.
__
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers
On 10 Dec 2018, at 8:25 pm, Viktor Dukhovni wrote:
>> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
>>
>> ssl_min_protocol = TLSv1.2
>> ssl_cipher_li
Hello,
I want a postfix mailserver to be responsible for one particular email
address from a domain. Is this possible? The idea is the following:
* mx.example.org is the official MX for example.org and has a transport
map that forwards mail for 'b...@example.org' to another mailserver
submx.examp
hello all
We have a RHEL 7 based server running monitoring software consisting of
Groundwork Monitoring Software, which includes Nagios , Nedi, and other
tools. This server is set up with TLS enabled and it uses a script to send
email to any SMTP server that we choose. I have an SMTP server set u
> On Dec 10, 2018, at 6:41 PM, Sean Son
> wrote:
>
> 330462 Dec 7 20:39:21 mailer postfix/smtpd[12242]: SSL3 alert
> read:fatal:unknown CA
> 330463 Dec 7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:failed in
> SSLv3 read client key exchange A
> 330464 Dec 7 20:39:21 mailer postfix/sm
Scenario: a nameserver is misconfigured such that it doesn't set the "recursion
available" (ra) bit on its replies. Postfix's relayhost has an A record but no
MX record, and is specified in main.cf without [] brackets around it.
What I see is that Postfix 2.6.6 looks up the MX record, receives a
Greetings, Alice Wonder!
> This is what I use in dovecot:
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list =
> EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
> ssl_prefer_server_ciphers = yes
Don't touch SSL chipherlist unless you 100% know what you are
On Mon, Dec 10, 2018 at 6:57 PM Viktor Dukhovni
wrote:
> > On Dec 10, 2018, at 6:41 PM, Sean Son
> wrote:
> >
> > 330462 Dec 7 20:39:21 mailer postfix/smtpd[12242]: SSL3 alert
> read:fatal:unknown CA
> > 330463 Dec 7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:failed
> in SSLv3 read clie
On 12/10/18 12:25 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
ssl_min_protocol = TLSv1.2
ssl_cipher_list =
EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes
The cipherlist syntax is wrong,
On 12/10/18 5:19 PM, Alice Wonder wrote:
On 12/10/18 12:25 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote:
ssl_min_protocol = TLSv1.2
ssl_cipher_list =
EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ci
> On Dec 10, 2018, at 7:23 PM, ben+postfix-us...@narcissus.net wrote:
>
> Scenario: a nameserver is misconfigured such that it doesn't set the
> "recursion available" (ra) bit on its replies. Postfix's relayhost has an A
> record but no MX record, and is specified in main.cf without [] bracke
> On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote:
>
> Even in this thread someone pointed out that Debian defaults to 1024-bit RSA.
> You end up with things like SHA1 still enabled because upstream thought the
> compatibility mattered more than the security.
>
> So yes, I made a typo, and may
> On Dec 10, 2018, at 8:00 PM, Sean Son
> wrote:
>
> Thank you for the reply. Can the client be configured to trust more than one
> SSL cert?
You've told us nothing about the client, so it would be a miracle
if someone on the list could give an answer to that question.
Is the client running
On 12/10/18 6:11 PM, Viktor Dukhovni wrote:
On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote:
Even in this thread someone pointed out that Debian defaults to 1024-bit RSA.
You end up with things like SHA1 still enabled because upstream thought the
compatibility mattered more than the security.
On 12/10/18 6:58 PM, Alice Wonder wrote:
It is the responsibility of the client to not send if the connection is
not secure, if the client wants to guarantee security for those it sends
for. Using a reduced cipher lists means there is less illusion of
security where it doesn't actually exist
28 matches
Mail list logo
