sorry, a correction on the previous. This is wrong : >add in main.cf : in smtpd_client_restrictions, just after >permit_mynetworks: > >smtpd_discard_ehlo_keyword_address_maps = >cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr >
just add smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr to main.cf my error.. sorry. and what a fast mailing list this is ... samba list is much slower.. >-----Oorspronkelijk bericht----- >Van: [email protected] [mailto:[email protected]] >Namens L.P.H. van Belle >Verzonden: woensdag 19 augustus 2015 13:12 >Aan: [email protected] >Onderwerp: RE: TLS cert - bug in documentation or bug in my >understanding ?? > >>-----Oorspronkelijk bericht----- >>Van: [email protected] >>[mailto:[email protected]] Namens Alice Wonder >>Verzonden: woensdag 19 augustus 2015 12:42 >>Aan: [email protected] >>Onderwerp: Re: TLS cert - bug in documentation or bug in my >>understanding ?? >> >> >> >>On 08/19/2015 03:09 AM, L.P.H. van Belle wrote: >>> Hai, >>> >>> Try it like this, there is no need for combining the certificates. >>> >>> >>> # TLS parameters >>> smtp_tls_cert_file = /etc/ssl/certs/certificate.cer >>> smtp_tls_key_file = /etc/ssl/private/certificate.key >>> smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer >>> smtpd_tls_key_file = /etc/ssl/private/certificate.key >> >>Thank you, I think I got it figured out, will be testing shortly >> >>> >>> ## RootCA en Intermediate are put here. >>> smtpd_tls_CApath = /etc/ssl/certs >>> >>> >>> and dont forget to regenerate your dhparams. >>> like : >>> if [ -d /etc/ssl/private ]; then >>> mkdir -p /etc/ssl/private >>> chmod 710 /etc/ssl/private >>> fi >>> >>> ## Create unique DH Groups >>> openssl dhparam -out /etc/ssl/private/dhparams512.pem 512 >>> openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024 >>> openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048 >>> openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096 >> >>*snip* >> >>As far as DH groups - I put a script in /etc/cron.daily that >>regenerates >>the 1024 and 2048 groups once a day. >> >>I'm not sure 4096 adds any real world benefit, just eats CPU cycles. > >I dont use the 4096 also, but its there if i need it when i need it, >and yes a daily script for the dh is good to have. > >> >>I'm not using 512 as I built postfix against LibreSSL and it doesn't >>support the export ciphers, and I don't think postfix 2.11.6 >>does either >>anyway, at least if I understood the docs. >> >>So I'm trying with just the 2048 for now, if that's an issue >then I'll >>follow the documentation on how to allow 1024 for some clients. >> >>I'd like to eventually see the DHE ciphers go away in favor >of ECDHE - >>not sure how soon that will happen. >> >>I will be configuring postfix to only support ECDHE and DHE ciphers >>initially, well after I get TLS working on this server that is what I >>will try next. But I think DHE is only really needed for a few older >>clients at this point? >> >> > >some "to old" tls clients wil fail with postfix. I dont know >if the use DHE. >and its NOT a postfix error. > >what happens is, why client-server are changing keys, the >client closes the connection. >and a message appears in your log, server closed connection >and no mail is recieved. >old windows exchange servers and some lotus notes server have >this problem, maybe more, i dont know that. > >for these the only workaround, as far i know is, dont show the >STARTTLS. >info here : >http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywo >rd_address_maps >## used to disable buggy clients of with fautly TLS/SSL clients >1.2.3.4 STARTTLS > >which means.. >Dont show STARTTLS for that ip. > >add in main.cf : in smtpd_client_restrictions, just after >permit_mynetworks: > >smtpd_discard_ehlo_keyword_address_maps = >cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr > >maybe there are better solutions for this, but this works for me. > > >Greetz, > >Louis > > > >
