Re: OpenSMTPD on CentOS 8.
On 7. Mar 2020, at 04:27, Ihor Antonov wrote: > > On 2020-03-07 02:30, Reio Remma wrote: >>> On 07.03.2020 0:41, Ihor Antonov wrote: >>> On 2020-03-06 23:05, Reio Remma wrote: >>>> Hello! >>>> >>>> I was forced to upgrade our mail server to CentOS 8 (thanks to hardware >>>> failure on the old machine). I've successfully built an RPM of OpenSMTPD >>>> for >>>> CentOS 8 and it's running nicely, however I've a problem with the global >>>> crypto policies in CentOS 8. >>>> >>>> Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone >>>> got any experience on how to allow TLSv1 for OpenSMTPD without downgrading >>>> the whole system from DEFAULT to LEGACY crypto policy? >>> Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially >>> sinice it is considered to be not safe) >> >> Because my thinking is it's better than the plain text the clients fall back >> to. Or is it not so? > > Good question. Will other smtp servers fall back to plaintext if > TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not > force TLSv1.3 yet, but I also really dont want to communicate with > systems that are so outdated that they dont support TLSv1.2. But that is > a matter of personal choice probably. I did have an overly optimistic experiment some time ago where IIRC I restricted smtpd to TLSv1.2. Unfortunately that resulted in several mails per day from banks, government agencies, etc. being lost. Unfortunately there are a lot of outdated set and forget servers out there (like our old qmail setup that had TLSv1 as max). Reio
Re: OpenSMTPD on CentOS 8.
On 2020-03-07 02:30, Reio Remma wrote: > On 07.03.2020 0:41, Ihor Antonov wrote: > > On 2020-03-06 23:05, Reio Remma wrote: > > > Hello! > > > > > > I was forced to upgrade our mail server to CentOS 8 (thanks to hardware > > > failure on the old machine). I've successfully built an RPM of OpenSMTPD > > > for > > > CentOS 8 and it's running nicely, however I've a problem with the global > > > crypto policies in CentOS 8. > > > > > > Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone > > > got any experience on how to allow TLSv1 for OpenSMTPD without downgrading > > > the whole system from DEFAULT to LEGACY crypto policy? > > Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially > > sinice it is considered to be not safe) > > Because my thinking is it's better than the plain text the clients fall back > to. Or is it not so? Good question. Will other smtp servers fall back to plaintext if TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not force TLSv1.3 yet, but I also really dont want to communicate with systems that are so outdated that they dont support TLSv1.2. But that is a matter of personal choice probably.
Re: OpenSMTPD on CentOS 8.
On 07.03.2020 0:41, Ihor Antonov wrote: On 2020-03-06 23:05, Reio Remma wrote: Hello! I was forced to upgrade our mail server to CentOS 8 (thanks to hardware failure on the old machine). I've successfully built an RPM of OpenSMTPD for CentOS 8 and it's running nicely, however I've a problem with the global crypto policies in CentOS 8. Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone got any experience on how to allow TLSv1 for OpenSMTPD without downgrading the whole system from DEFAULT to LEGACY crypto policy? Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially sinice it is considered to be not safe) Because my thinking is it's better than the plain text the clients fall back to. Or is it not so? Reio
Re: OpenSMTPD on CentOS 8.
On 2020-03-06 23:05, Reio Remma wrote: > Hello! > > I was forced to upgrade our mail server to CentOS 8 (thanks to hardware > failure on the old machine). I've successfully built an RPM of OpenSMTPD for > CentOS 8 and it's running nicely, however I've a problem with the global > crypto policies in CentOS 8. > > Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone > got any experience on how to allow TLSv1 for OpenSMTPD without downgrading > the whole system from DEFAULT to LEGACY crypto policy? Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially sinice it is considered to be not safe) Ihor
OpenSMTPD on CentOS 8.
Hello! I was forced to upgrade our mail server to CentOS 8 (thanks to hardware failure on the old machine). I've successfully built an RPM of OpenSMTPD for CentOS 8 and it's running nicely, however I've a problem with the global crypto policies in CentOS 8. Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone got any experience on how to allow TLSv1 for OpenSMTPD without downgrading the whole system from DEFAULT to LEGACY crypto policy? OpenSMTPD has "smtp ciphers" directive which does overwrite the global ciphers set by the crypto policy, but there doesn't seem to be a way to set minimum TLS version for OpenSMTPD. Any help would be welcome! Thanks! Reio