Am 2023-12-01 18:51, schrieb Viktor Dukhovni via Postfix-users:
On Fri, Dec 01, 2023 at 01:52:19PM +0100, Alexander Leidinger wrote:
> No. The problem you're reporting is with name matching. If the
> certificate chain failed to be constructed, that'd be reported instead.
> You'll only see
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
connection
to the github mailservers when posttls-finger is able to do that with
the same cert store?
Because
Am 2023-11-30 18:36, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via
Postfix-users wrote:
> > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate
> > verification failed for in-9.smtp.github.com[140.8
Am 2023-12-01 09:34, schrieb Tom Hendrikx via Postfix-users:
On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
...
Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
verification failed for in-8.smtp.github.com[140.82.114.32]:25:
num=62:hostname mismatch
...
Maybe you check?
root@yw-1204:/etc/postfix# postconf -n | grep
Am 2023-12-01 11:22, schrieb Viktor Dukhovni via Postfix-users:
On Fri, Dec 01, 2023 at 09:53:25AM +0100, Alexander Leidinger via
Postfix-users wrote:
> > Why should it expect reply.github.com?
>
> Because that name is securely known from the recipient address.
Because, wh
Am 2023-12-01 12:40, schrieb Byung-Hee HWANG via Postfix-users:
Alexander Leidinger via Postfix-users
writes:
Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
...
Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
verification failed for in-8.smtp.github.com
Am 2023-12-01 13:44, schrieb Wietse Venema:
Alexander Leidinger:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
> Alexander Leidinger via Postfix-users:
>> What is wrong here that [tlsproxy] doesn't establish a trusted
>> connection
>> to the github mai
Hi,
There is something strange with delivering mail from my mailserver to
github, it complains about the github server certificate not verified on
an outgoing TLS connection.
My main.cf contains the same certs-path for smtp and smtpd TLS
connections:
---snip---
# grep CApath main.cf
Am 2023-11-30 15:03, schrieb Bill Cole via Postfix-users:
On 2023-11-30 at 08:03:09 UTC-0500 (Thu, 30 Nov 2023 14:03:09 +0100)
Alexander Leidinger via Postfix-users
is rumored to have said:
My main.cf contains the same certs-path for smtp and smtpd TLS
connections:
---snip---
# grep CApath
Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via
Postfix-users wrote:
# grep tls main.cf | grep -vE '^#'
smtp_tls_security_level = encrypt
smtpd_tls_ask_ccert = yes
smtpd_tls_CApath = $smtp_tls_CApath
Am 2024-02-29 13:46, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
> What do you consider weak?
All of the anonymous Diffie-Hellman suites with an "F" score. How can
eliminate the following:
Who's assigning the "F" scores?
Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users:
Would someone please describe the configuration settings needed to
support
TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in
my
That depends on your definition of "weak".
configuration files:
main.cf:
Am 2024-03-12 07:08, schrieb Viktor Dukhovni via Postfix-users:
Where is your configuration directory? Are you editing
"/etc/postfix/main.cf", or /usr/local/etc/postfix/main.cf?
Which "postfix" command are you running, "/usr/sbin/postfix" or
"/usr/local/sbin/postfix"? You probably have
Am 2024-03-11 05:19, schrieb Glenn Tenney via Postfix-users:
(2) Postfix sends to gmail, but does not encrypt when sending.
You only tell the receiving side of postfix to set the encrypt level to
"may". For the sending side you do not have such a setting:
smtp_tls_security_level = ...
Am 2024-03-23 15:58, schrieb Matthias Nagel via Postfix-users:
I wonder whether setting `smtpd_tls_dh1024_param_file` to a custom
2048-bit DH group would help? But from my understanding of the docs
that should not be necessary as Postfix 3.8.5 uses a built-in 2048bit
group if left empty.
Am 2024-03-23 17:17, schrieb Viktor Dukhovni via Postfix-users:
PS: As of January 2024, the German BSI has tighten its recommendation
for asymmetric algorithms over finite fields to at least 3000 bits
(i.e. RSA encryption, RSA signatures and FFDH).
With little thought about the opportunistic
Am 2024-04-11 05:39, schrieb Dan Mahoney via Postfix-users:
I guess I missed something. — I also want it to null route (or route to
a maildir) all *outbound* mail — so we can examine what our ticket
system *would* send, is there something in here to do that, or is the
above only for inbound?
Am 2024-05-22 01:22, schrieb Greg Sims via Postfix-users:
TLS connection reuse is being used. About 10% of the connections are
reused for large volume ISPs. Small volume ISPs do not see connection
reuse. I believe this is as expected.
I did some testing of our DNS setup. A DNS query using
19 matches
Mail list logo