Thanks Sam, especially the note that esmtpd-msa reads BOTH config files, esmtpd and esmtpd-msa is an important one!
Am 12.10.2013 17:25, schrieb Sam Varshavchik: >> esmtpd-ssl: >> * ESMTPDSTARTTLS defines whether we allow STARTTLS or not - that doesn't >> make sense to me, when this demon is SSL-enabled already on connect. Is >> this setting meant for the plain-text esmtd on port 25? > > I do not see such setting anywhere. That is interesting. I run courier on different servers for different projects and checked those - I found it on the two most recently installed servers but nowhere else. So I guess I can just delete it. Gentoo package maintainer making fun of us? >> * TLS_PROTOCOL sets the protocol for SSL encryption on connection? >> * TLS_STARTTLS_PROTOCOL sets the protocol for STARTTLS - again, that >> only makes sense on the regular esmtpd > > Right. So what does define the STARTTLS protocol on esmtpd a) TLS_PROTOCOL in esmtpd or b) TLS_STARTTLS_PROTOCOL in esmtpd-ssl? >> 1) SSL3 + TLS >> * STARTTLS, I assume supports only TLS1+ - no SSL3, is that correct? >> * can we assume that a client which issues STARTTLS doesn't try to use >> SSL3? >> * is there a way to set the TLS_PROTOCOL for *-ssl to allow both SSL3 >> and TLS1, but no SSL2? > > All of that depends on the protocol setting, and whether Courier is > build against OpenSSL or GnuTLS. TLS_PROTOCOL is used with OpenSSL only; > and it looks like SSL23 also includes TLS1. Yes, I am using OpenSSL. What I should have mentioned: As I want to use SSL3 and TLS only, I set all TLS_PROTOCOL settings to TLS1. * with TLS, all is fine * with SSL2 there is a simple error (as expected) But with SSL3 it give an error that it's not available (as with SSL2), instead it tries to negotiate a cipher and then fails. That is what I don't understand. The same ciphers work with SSL3 on apache fine. TLS_PROTOCOL=TLS1 TLS_STARTTLS_PROTOCOL=TLS1 TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH Maybe a question to some here which are more into the SSL business and encryption. Thanks, Manuel -- Wikimedia CH - Verein zur Förderung Freien Wissens Lausanne, +41 (21) 34066-22 - www.wikimedia.ch ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
