On 2024/3/23 04:57, Wietse Venema via Postfix-users wrote:
Unleess you can hand over the certificate that Postfix complained
about, you have not proven that Postfix was in error.
You are right, I can't guarantee if the certificate openssl dumped was
the one Postfix encountered.
Specifically,
Hi everyone,
I am currently assessing the TLS security of a Postfix mail server and among
other things sslscan reported that the server allows a (non-EC) DH exchange
with only 1024 bits. While one solution would be to only allow ECDH(E) and
disable DH(E) entirely, I would rather like to keep su
Hello everybody,
what is the rationale behind the deprecation of the setting
`smtpd_tls_cipherlist`? Are there any plans to remove it entirely in some
future versions?
I am looking for an option to explicitly set the list of allowed cipher suites.
The deprecated setting `smtpd_tls_cipherlist`
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and among
> other things sslscan reported that the server allows a (non-EC) DH exchange
> with only 1024 bits. While one solution would be to onl
Cowbay via Postfix-users:
> So, I will collect necessary information next time I encounter this
> issue as what Viktor suggested.
Please note that Postfix does not automatically use the "system"
root CA store that openssl s_client and curl may use. That could
result in verification differences be
Hello everybody,
I use `smtpd_tls_chain_files` to set the X.509 certificate (and key) for
Postfix. Do I have to reload Postfix, e.g. via `systemctrl reload
postfix.service` after the certificate (and key) file has been renewed? The
following sentence in
https://www.postfix.org/postconf.5.html#
Matthias Nagel via Postfix-users:
> Hello everybody,
>
> what is the rationale behind the deprecation of the setting
> `smtpd_tls_cipherlist`? Are there any plans to remove it entirely
> in some future versions?
smtpd_tls_cipherlist was removed in Postfix 2.3 (18 years ago).
Postfix 2.9 (12 years
On 2024/3/23 20:04, Wietse Venema via Postfix-users wrote:
Cowbay via Postfix-users:
So, I will collect necessary information next time I encounter this
issue as what Viktor suggested.
Please note that Postfix does not automatically use the "system"
root CA store that openssl s_client and curl
TLS using processes will eventually pick up new certifictate info.
A Postfix SMTP client and server process has a limited life time,
bounded by max_idle (100s) and max_use (100 times).
A tlsproxy process (used by postscreen, and by a Postfix SMTP client
when reusing an SMTP-over-TLS connection) t
I am running Postfix mail-mta/postfix-3.8.5 with dev-libs/openssl-3.0.13. If I
correctly understood my Postifx server should not use a FF group with 1024
bits, but at least 2024 bits. (References to the docs are given below.)
So the question still stand, how do I ensure that Postfix uses at leas
On Sat, Mar 23, 2024 at 01:57:39PM +0100, Matthias Nagel via Postfix-users
wrote:
> Also note, that the file which is configured in
> `smtpd_tls_chain_files` is only a symbolic link, e.g.
>
> # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem
> lrwxrwxrwx 1 root root 51 11
> Note that with `certbot`, the `fullchain.pem` file [...]
> contains only the certificate chain, without the private key [...].
>
> So you don't get atomicity from `certbot`.
I know. I just opened a feature request:
https://github.com/certbot/certbot/issues/9915
Am Samstag, 23. März 2024, 16:
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and
> among other things sslscan reported that the server allows a (non-EC)
> DH exchange with only 1024 bits.
The Postfix SMTP server uses whate
On Sat, Mar 23, 2024 at 03:58:15PM +0100, Matthias Nagel via Postfix-users
wrote:
> So the question still stand, how do I ensure that Postfix uses at
> least 2048bit DH, if TLS 1.2 and FFDH have been negotiated?
As an SMTP server, Postfix uses a 2048-bit build-in group, or else
whatever group yo
On Sat, Mar 23, 2024 at 08:04:18AM -0400, Wietse Venema via Postfix-users wrote:
> Please note that Postfix does not automatically use the "system"
> root CA store that openssl s_client and curl may use. That could
> result in verification differences between Postfix and other tools.
>
> https://
On Sat, Mar 23, 2024 at 06:24:50PM +0800, Cowbay via Postfix-users wrote:
> My smtp_tls_policy_maps points to a hash table and the relevant entry is
> [smtp.gmail.com]:465secure
OK, nothing unusual there.
> > No, the self-signed certificate might have been some root CA that isn't
>
On Sat, Mar 23, 2024 at 12:45:04PM +0100, Matthias Nagel via Postfix-users
wrote:
> what is the rationale behind the deprecation of the setting
> `smtpd_tls_cipherlist`? Are there any plans to remove it entirely in
> some future versions?
Superseded by smtpd_tls_cipher_grade and tls_medium_ciphe
it go into endless loop if mx is missing, so it does not do a/
failback testing, is this a bug ?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
Benny Pedersen via Postfix-users:
> it go into endless loop if mx is missing, so it does not do a/
> failback testing, is this a bug ?
What is 'it', what did you ask 'it' to do, and what are the
concrete symptoms in the form of logging?
Wietse
On Sat, Mar 23, 2024 at 11:43:02PM +0100, Benny Pedersen via Postfix-users
wrote:
> It go into endless loop if mx is missing, so it does not do a/ failback
> testing, is this a bug ?
This is an off-topic question. The code behind dane.sys4.de is a Perl
script that tests the correctness of D
20 matches
Mail list logo
