Mark Constable wrote: > On Monday 25 February 2008 16:56:07 Gordon Messmer wrote: > >> Is anyone interested in contributing to an openssl/gnutls compatibility >> matrix in the wiki? >> > > Certainly if you provide a guideline on how to contribute. >
The only thing that I have to suggest is that contributors should be able to demonstrate that a specific program does not work in the default configuration, and begins working when only one setting is changes. That is, I would like to discourage shotgun-style changes of TLS settings. > I just set another courier system and I found I had to use > these settings to send test messages from my current server... > > # grep TLS_P * | grep -v "#" > courierd:TLS_PROTOCOL=SSL23 > esmtpd:TLS_PROTOCOL=SSL2 ... > ie; even courier-mta seems to have trouble using just SSL3 > but that may be because I'm not sure how this stuff all > works and I just used trial and error to find a sweet spot. > It seems likely that you first set TLS_PROTOCOL in esmtpd to SSL2 on one server, which is probably unnecessary. That setting should be TLS1. I'm reasonably certain that an application that does STARTTLS won't need courier to use SSL2 or SSL23. By setting that, you forced yourself to set TLS_PROTOCOL to SSL23 in courierd on the other server in order to communicate with it. If you had left both of those settings as their defaults, all applications should work, and your security would be much better. This is exactly what I want to help people avoid. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
