On 22.01.24 12:34, Taco de Wolff via Postfix-users wrote:
Sorry, this was a problem with the system-wide cryptographic policies. I
set it to DEFAULT and it works. This is unexpected though, since at least
two TLS1.3 ciphersuites are enabled with FIPS:OSPP and TLS1.3 works with
Nginx (Dovecot is similar to Postfix though and both are fixed with this
crypto setting). Surely, somewhere in how Postfix/Dovecot use OpenSSL is
getting blocked when using FIPS mode. Is that a bad configuration or a bug
perhaps?
do you mean openssl.cnf? If so, look at
http://www.postfix.org/postconf.5.html#tls_config_file
Still wondering whether I can enable server-to-server connections
opportunistically over port 465 though, not just 587.
465 is designed for client-server, not server-server connections.
server-server connections are to be made on port 25 with possible upgrade
using starttls command.
you can tune this using
http://www.postfix.org/postconf.5.html#smtp_tls_security_level
Note that in case of unability to set up server-server TLS connection,
plaintext connection will be used (unless you explicitly disable it).
That's why requirements for ciphers and protocols are usually weaker than on
client connections (smtp_tls_mandatory_* options)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
