On Sat, Mar 23, 2024 at 11:43:02PM +0100, Benny Pedersen via Postfix-users
wrote:
> It go into endless loop if mx is missing, so it does not do a/ failback
> testing, is this a bug ?
This is an off-topic question. The code behind dane.sys4.de is a Perl
script that tests the correctness of
Benny Pedersen via Postfix-users:
> it go into endless loop if mx is missing, so it does not do a/
> failback testing, is this a bug ?
What is 'it', what did you ask 'it' to do, and what are the
concrete symptoms in the form of logging?
Wietse
it go into endless loop if mx is missing, so it does not do a/
failback testing, is this a bug ?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
On Sat, Mar 23, 2024 at 12:45:04PM +0100, Matthias Nagel via Postfix-users
wrote:
> what is the rationale behind the deprecation of the setting
> `smtpd_tls_cipherlist`? Are there any plans to remove it entirely in
> some future versions?
Superseded by smtpd_tls_cipher_grade and
On Sat, Mar 23, 2024 at 06:24:50PM +0800, Cowbay via Postfix-users wrote:
> My smtp_tls_policy_maps points to a hash table and the relevant entry is
> [smtp.gmail.com]:465secure
OK, nothing unusual there.
> > No, the self-signed certificate might have been some root CA that isn't
On Sat, Mar 23, 2024 at 08:04:18AM -0400, Wietse Venema via Postfix-users wrote:
> Please note that Postfix does not automatically use the "system"
> root CA store that openssl s_client and curl may use. That could
> result in verification differences between Postfix and other tools.
>
>
On Sat, Mar 23, 2024 at 03:58:15PM +0100, Matthias Nagel via Postfix-users
wrote:
> So the question still stand, how do I ensure that Postfix uses at
> least 2048bit DH, if TLS 1.2 and FFDH have been negotiated?
As an SMTP server, Postfix uses a 2048-bit build-in group, or else
whatever group
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and
> among other things sslscan reported that the server allows a (non-EC)
> DH exchange with only 1024 bits.
The Postfix SMTP server uses
> Note that with `certbot`, the `fullchain.pem` file [...]
> contains only the certificate chain, without the private key [...].
>
> So you don't get atomicity from `certbot`.
I know. I just opened a feature request:
https://github.com/certbot/certbot/issues/9915
Am Samstag, 23. März 2024,
On Sat, Mar 23, 2024 at 01:57:39PM +0100, Matthias Nagel via Postfix-users
wrote:
> Also note, that the file which is configured in
> `smtpd_tls_chain_files` is only a symbolic link, e.g.
>
> # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem
> lrwxrwxrwx 1 root root 51
I am running Postfix mail-mta/postfix-3.8.5 with dev-libs/openssl-3.0.13. If I
correctly understood my Postifx server should not use a FF group with 1024
bits, but at least 2024 bits. (References to the docs are given below.)
So the question still stand, how do I ensure that Postfix uses at
TLS using processes will eventually pick up new certifictate info.
A Postfix SMTP client and server process has a limited life time,
bounded by max_idle (100s) and max_use (100 times).
A tlsproxy process (used by postscreen, and by a Postfix SMTP client
when reusing an SMTP-over-TLS connection)
On 2024/3/23 20:04, Wietse Venema via Postfix-users wrote:
Cowbay via Postfix-users:
So, I will collect necessary information next time I encounter this
issue as what Viktor suggested.
Please note that Postfix does not automatically use the "system"
root CA store that openssl s_client and
Matthias Nagel via Postfix-users:
> Hello everybody,
>
> what is the rationale behind the deprecation of the setting
> `smtpd_tls_cipherlist`? Are there any plans to remove it entirely
> in some future versions?
smtpd_tls_cipherlist was removed in Postfix 2.3 (18 years ago).
Postfix 2.9 (12
Hello everybody,
I use `smtpd_tls_chain_files` to set the X.509 certificate (and key) for
Postfix. Do I have to reload Postfix, e.g. via `systemctrl reload
postfix.service` after the certificate (and key) file has been renewed? The
following sentence in
Cowbay via Postfix-users:
> So, I will collect necessary information next time I encounter this
> issue as what Viktor suggested.
Please note that Postfix does not automatically use the "system"
root CA store that openssl s_client and curl may use. That could
result in verification differences
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and among
> other things sslscan reported that the server allows a (non-EC) DH exchange
> with only 1024 bits. While one solution would be to
Hello everybody,
what is the rationale behind the deprecation of the setting
`smtpd_tls_cipherlist`? Are there any plans to remove it entirely in some
future versions?
I am looking for an option to explicitly set the list of allowed cipher suites.
The deprecated setting `smtpd_tls_cipherlist`
Hi everyone,
I am currently assessing the TLS security of a Postfix mail server and among
other things sslscan reported that the server allows a (non-EC) DH exchange
with only 1024 bits. While one solution would be to only allow ECDH(E) and
disable DH(E) entirely, I would rather like to keep
On 2024/3/23 04:57, Wietse Venema via Postfix-users wrote:
Unleess you can hand over the certificate that Postfix complained
about, you have not proven that Postfix was in error.
You are right, I can't guarantee if the certificate openssl dumped was
the one Postfix encountered.
20 matches
Mail list logo