Re: Exim, DH, GnuTLS & interop fix with older mail clients

Sat, 07 Sep 2013 11:43:04 -0700 

Am 07.09.2013 17:43, schrieb Robert Schetterer:
> Am 07.09.2013 16:43, schrieb Viktor Dukhovni:
>> On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
>>
>>> # openssl dhparam -out dh2048.pem 2048
>>> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
>>> ...
>>>
>>> I had some report from one customer with netscape 7 ( very old mail
>>> client ) that he cant connect anymore via port 465 by ssl failures
>>> which i can see in the logs too
>>>
>>> does this sound plausible?
>>
>> Definitely.  Ancient software may not be able to handle 2048-bit EDH.
>> Fortunately, as Wietse points out, there is a simple work-around,
>> deploy a different dhparam file on ports 465 and 587.
>>
>>   # openssl dhparam -out dh1024.pem 1024
>>   # postconf -e 'submission_tls_dh1024_param_file = 
>> ${config_directory}/dh1024.pem'
>>
>> Then in master.cf:
>>
>>   465 inet n ... smtpd
>>     -o smtpd_tls_wrappermode=yes
>>     -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
>>     ...
>>   587 inet n ... smtpd
>>     -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
>>     ...
>>
> 
> i thought that way too,
> 
> and did it that way before reading this post, so i am waiting now for
> backreport from the user

so as awaited , it was reported everything is working again , thx for help

> 
> 
> 
> Best Regards
> MfG Robert Schetterer
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply via email to