Re: dovecot, openssl, TLS1.0
On Tue, 6 Nov 2018 18:11:54 +0100 Michael Wagner wrote: Hello Michael, >You must change /etc/aliases, when an MTA is installed. >Hth Michael I knew it was something simple. Thanks Michael. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" I'll be the rubbish you'll be the bin Love Song - The Damned pgpLZ0cyeM_w_.pgp Description: OpenPGP digital signature
Re: dovecot, openssl, TLS1.0
On Nov 06, 2018 at 16:43:57, Brad Rogers wrote: > On Tue, 6 Nov 2018 15:15:48 + Jan Foniok wrote: > >Is there a package that needs to be installed for that to happen? > > I believe that exim is installed (at least in part) for this. > > > >On my postfix installation there is no sysadmin alias (there is system, > > I didn't mean sysadmin literally. I meant it as in "whoever has the > role of sysadmin". Usually root, IIRC. I know I changed it on my > system to have the mail sent to my username. That was nearly ten years > ago, and I cannot remember what I did to change it. I do know it wasn't > too difficult, though(0). You must change /etc/aliases, when an MTA is installed. Hth Michael -- If Murphy's Law can go wrong, it will.
Re: dovecot, openssl, TLS1.0
On Tue, 6 Nov 2018 15:15:48 + Jan Foniok wrote: Hello Jan, >Is there a package that needs to be installed for that to happen? I believe that exim is installed (at least in part) for this. > >On my postfix installation there is no sysadmin alias (there is system, I didn't mean sysadmin literally. I meant it as in "whoever has the role of sysadmin". Usually root, IIRC. I know I changed it on my system to have the mail sent to my username. That was nearly ten years ago, and I cannot remember what I did to change it. I do know it wasn't too difficult, though(0). >admin, and many others). Nor is there any sign of undelivered emails to >sysadmin in the mail logs. Look in /var/mail/ and see what user names exist, and what, if any, mail exists in their relevant directories. This may require superuser privileges(1) to enable you to access all mail directories. (0) Otherwise, I wouldn't have done it. :-) (1) IDK for sure, since there's only one user listed under /var/mail/ on my system - my username. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" Save me from everybody else Prisoners - Judgement Centre pgpFS5bQPQLKJ.pgp Description: OpenPGP digital signature
Re: dovecot, openssl, TLS1.0
Hello, > On 5 Nov 2018, at 21:19, Brad Rogers wrote: >> In spite of some effort I haven't found this sysadmin. Can you please >> give me some pointers... > > Important information regarding an update, such as a change in default > behaviour of a package, is emailed to the sysadmin user. This is usually > root, IIRC, but can be reconfigured to be anybody. Is there a package that needs to be installed for that to happen? On my postfix installation there is no sysadmin alias (there is system, admin, and many others). Nor is there any sign of undelivered emails to sysadmin in the mail logs. > Changing back the defaults in /etc/ssl/openssl.cnf to previous system > wide defaults can be done using: > MinProtocol = None > CipherString = DEFAULT This helps indeed, even though I recognise that there is a security issue. I hope either Apple will fix OS X El Capitan to fully support TLSv1.2, or users will stop using 9-year-old laptops that cannot be upgraded any further than that OS X version. (But why chuck a perfectly working computer??) Thanks again for your help, Jan signature.asc Description: Message signed with OpenPGP using GPGMail
Re: dovecot, openssl, TLS1.0
On Mon, 5 Nov 2018 17:46:14 +0100 Jan Foniok wrote: Hello Jan, Putting this back on D-U... >thanks a lot for your reply and excuse my inexperience. My apologies; That's my fault. I made an unwarranted assumption about your experience level. >In spite of some effort I haven't found this sysadmin. Can you please >give me some pointers... Important information regarding an update, such as a change in default behaviour of a package, is emailed to the sysadmin user. This is usually root, IIRC, but can be reconfigured to be anybody. To read it, either set up your email package to check for mail locally (i.e. collect it from /var/mail/username), or simply look at the message in /var/mail/ - it's plain text, of course. Just in case it's gone, I repeat the message in its entirety here: openssl (1.1.1-2) unstable; urgency=medium Following various security recommendations, the default minimum TLS version has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple plan to do same around March 2020. The default security level for TLS connections has also be increased from level 1 to level 2. This moves from the 80 bit security level to the 112 bit security level and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger ECC keys, and SHA-2. The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications might also have a way to override the defaults. In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString line. The CipherString can also sets the security level. Information about the security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage. The list of valid strings for the minimum protocol version can be found in SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and config(5ssl). Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide defaults can be done using: MinProtocol = None CipherString = DEFAULT Hopefully, that points you in the right direction, and you'll be able to make adjustments to your set up to suit your needs. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" You don't entertain ideas you simply bore them I Don't Like You - Stiff Little Fingers pgp7Srk3g80z7.pgp Description: OpenPGP digital signature
Re: dovecot, openssl, TLS1.0
On Mon, Nov 05, 2018 at 01:36:10PM +0100, Jan Foniok wrote: > What is the best way out? Can TLS1.0 and 1.1 be enabled? TLS 1.0 is insecure and should never be used. TLS 1.1 is questionable. If you google something like "tls 1.1 deprecated", you will get plenty of results telling you why. The most official one I could find was this IETF draft memo: https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html
Re: dovecot, openssl, TLS1.0
On Mon, 5 Nov 2018 14:29:51 +0100 Jan Foniok wrote: Hello Jan, >What is the best way out? Can TLS1.0 and 1.1 be enabled? On 31 Oct, updates included info regarding TLS. Read the mail sent to sysadmin for options. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" You're only 29 got a lot to learn Seventeen - Sex Pistols pgps1ckmaJfDO.pgp Description: OpenPGP digital signature
Re: dovecot, openssl, TLS1.0
On Mon, Nov 05, 2018 at 02:29:51PM +0100, Jan Foniok wrote: > Hi, > > Apple Mail on El Capitan doesn't seem to support protocols TLS higher than > 1.0 or 1.1. > Older hardware (9 years) is not supported by newer MacOS versions. > > A recent update of debian seems to have disabled these protocols for dovecot > imap. > > What is the best way out? Can TLS1.0 and 1.1 be enabled? /etc/dovecot/conf.d/10-ssl.conf contains "ssl_protocols" variable that can be used to specify announced TLS versions. If it fails to work for you - it's probably possible to 'solve' the problem by downgrading "libssl1.1". Of course that also means opening your server to all kinds of exploitation, so replacing this "Apple Mail" with actual e-mail client is definitely the way to go. Reco