The site https://hardenize.com provides relatively decent Email reports,
along with other reports. It checks a number of things including certs,
MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all
good checks and recommendations, with the exception of the TLS one, I do
not see ho
micah anderson writes:
> 2. Server suite preferences: they break down each preferred cipher
> selection for each TLS verison, and are unhappy about the cipher suite
> configuration being suboptimal, specifically that the forward secrecy
> ciphers (ECDHE or DHE) and authenticated encryption (GCM o
On Friday, April 12, 2019 10:46:50 AM micah anderson wrote:
> The site https://hardenize.com provides relatively decent Email reports,
> along with other reports. It checks a number of things including certs,
> MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all
> good checks and r
Den 12/04/2019 17:09, skrev Scott Kitterman:
On Friday, April 12, 2019 10:46:50 AM micah anderson wrote:
The site https://hardenize.com provides relatively decent Email reports,
along with other reports. It checks a number of things including certs,
MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then a
> On Apr 12, 2019, at 10:46 AM, micah anderson wrote:
>
> I know that 'hardening postfix' threads have been posted here a number
> of times, I've read them and I understand the recommendations if you
> want to continue delivering and accepting email from the internet. What
> I'm trying to find ou
On 12 Apr 2019, at 08:46, micah anderson wrote:
> he site https://hardenize.com provides relatively decent Email reports,
> along with other reports. It checks a number of things including certs,
> MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all
> good checks and recommendatio
Viktor Dukhovni writes:
>> On Apr 12, 2019, at 10:46 AM, micah anderson wrote:
>>
>> I know that 'hardening postfix' threads have been posted here a number
>> of times, I've read them and I understand the recommendations if you
>> want to continue delivering and accepting email from the interne
Scott Kitterman writes:
> On Friday, April 12, 2019 10:46:50 AM micah anderson wrote:
>> The site https://hardenize.com provides relatively decent Email reports,
>> along with other reports. It checks a number of things including certs,
>> MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. Th
"@lbutlr" writes:
> On 12 Apr 2019, at 08:46, micah anderson wrote:
>> he site https://hardenize.com provides relatively decent Email reports,
>> along with other reports. It checks a number of things including certs,
>> MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all
>> goo
> On Apr 12, 2019, at 11:47 AM, @lbutlr wrote:
>
> I'm not impressed. It complains that STARTTLS is not available on my server.
> It is true it is not available on port 25, ut is available on port 587 where
> it should be.
Frankly, best practice nowadays is to also have STARTTLS on port 25.
Pe
On 12 Apr 2019, at 11:47, @lbutlr wrote:
On 12 Apr 2019, at 08:46, micah anderson wrote:
he site https://hardenize.com provides relatively decent Email
reports,
along with other reports. It checks a number of things including
certs,
MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. Thes
Viktor Dukhovni:
> > On Apr 12, 2019, at 11:47 AM, @lbutlr wrote:
> >
> > I'm not impressed. It complains that STARTTLS is not available on my
> > server. It is true it is not available on port 25, ut is available on port
> > 587 where it should be.
>
> Frankly, best practice nowadays is to al
On Fri, Apr 12, 2019 at 12:34:16PM -0400, micah anderson wrote:
> > Any reasonably recent version of OpenSSL will by default favour stronger
> > ciphers, including listing ciphers that do forward-secrecy above the rest.
> > For example, with OpenSSL 1.0.2 I get:
>
> Indeed, you are right, if I si
On Fri, Apr 12, 2019 at 12:58:48PM -0400, Wietse Venema wrote:
> Viktor Dukhovni:
> > > On Apr 12, 2019, at 11:47 AM, @lbutlr wrote:
> > >
> > > I'm not impressed. It complains that STARTTLS is not available on my
> > > server. It is true it is not available on port 25, ut is available on
> >
> On 12 Apr 2019, at 10:42, micah anderson wrote:
>
> "@lbutlr" writes:
>
>> On 12 Apr 2019, at 08:46, micah anderson wrote:
>>> he site https://hardenize.com provides relatively decent Email reports,
>>> along with other reports. It checks a number of things including certs,
>>> MTA-STS, T
* micah anderson:
> I do think that it might be more 'clear' if they said something like
> "if you set p=reject, you are likely to have 90% of the mail you send
> getting spam foldered or rejected".
I use dedicated domains without DMARC policies for mailing lists. For my
other domains, I use p=qu
Hm. Hardenize tells me "Email TLS ... not implemented or disabled",
which I don't quite understand, given the following settings:
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
smtpd_tls_dh
On Fri, Apr 12, 2019 at 11:57:09PM +0200, Ralph Seichter wrote:
> Hm. Hardenize tells me "Email TLS ... not implemented or disabled",
> which I don't quite understand, given the following settings:
>
> smtpd_tls_ask_ccert = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_fingerprint_digest = sh
Greetings, André Rodier!
>>> Hello Laura,
>>>
>>> I am using OpenDKIM on Debian Stretch, no issue at all.
>>>
>>> One explanation might be the standard has not changed since 2015, so
>>> neither the binaries. If a major or even a minor change rise in the
>>> standard, I am sure the binaries will b
On 12/04/2019 19:36, @lbutlr wrote:
On 12 Apr 2019, at 10:42, micah anderson wrote:
"@lbutlr" writes:
On 12 Apr 2019, at 08:46, micah anderson wrote:
he site https://hardenize.com provides relatively decent Email reports,
along with other reports. It checks a number of things including c
20 matches
Mail list logo
