Manuel Bouyer wrote in <zvkxhu06iovpf...@antioche.eu.org>: |On Mon, Nov 13, 2023 at 10:24:56PM +0100, Steffen Nurpmeso wrote: |> Manuel Bouyer wrote in |> <zvj6lirepxlce...@antioche.eu.org>: |>|Hello |>|I'm facing an issue with postfix+openssl3 which may be critical (dependi\ |>|ng |>|on how it can be fixed). |>| |>|Now my postfix setup fails to send mails with ... |>|>From what I understood, this is the remote certificate which is not \ |>|>accepted: |>|openssl 3 deprecated some signature algorithm, which are no longer \ |>|accepted ... |> Isn't that just postfix config. | |It's possible; but I didn't find anything relevant in the postfix docs | |> Btw *i* have no problem with |> |> smtpd_tls_ask_ccert = no |> smtpd_tls_auth_only = yes |> smtpd_tls_loglevel = 1 |> #SMART The next is usually nice but when using client certificates |> smtpd_tls_received_header = no |> smtpd_tls_fingerprint_digest = sha256 |> smtpd_tls_mandatory_protocols = >=TLSv1.2 |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 |> smtpd_tls_mandatory_ciphers = high |> smtpd_tls_mandatory_exclude_ciphers = TLSv1 |> |> ^ This works in practice without any noticeable trouble. |> (But then i again i do not have to make money from that or my |> customers who must talk to ten year old refrigerators.) | |this is only server-side configuration; my problem is with client-side |rejecting the server's certificate
Well i have #SMART comment out next smtp_tls_security_level = may # To always go directly SMTPS/SUBMISSIONS #smtp_tls_wrappermode = yes smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_protocols = $smtpd_tls_protocols #SMART When only relaying to smarthost, the next should be =high _or_better_! smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_connection_reuse = yes But if you have a problem with only one permanent remote partner you surely want a dedicated map for that one. Now by sheer accident i am subscribed to postfix-users for about two years (one permanently), and in 4pksdg3w7vzj...@spike.porcupine.org Wietse Venema answered on March 25 this year in the thread "Re: smtp_tls_security_level per user" Use sender_dependent_default_transport_maps to choose a delivery agent from: /etc/postfix/master.cf: smtp-may unix .. .. .. .. .. smtp -o { smtp_tls_security_level = may } smtp-encrypt unix .. .. .. .. .. smtp -o { smtp_tls_security_level = encrypt } smtp-whatever unix .. .. .. .. .. smtp -o { smtp_tls_security_level = whatever } Keep in mind that SMTP is not HTTP. A destination can have multiple MXes, and you have no contol over TLS usage between them. This surely can be extended to configure ciphers etc. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)