On Sat, Aug 12, 2023 at 12:53:35PM -0400, Viktor Dukhovni wrote:
> > Length: 00 00 9c (156)
> > ...
> > 0x01,0x88 7 ???
> > ...
> > 0xC0,0x12 14 ECDHE-RSA-DES-CBC3-SHA Au=RSA
> > ...
> > 0x00,0x40 22 DHE-DSS-AES128-SHA256 Au=DSS
> > ...
>
> All the ciphersuites offered except one (DSS) are
Consider (after carefully reading over the docs explaining the required
ordering of the content) switching to consolidated preferred syntax:
smtpd_tls_chain_files =
>> This feature is available in Postfix 3.4 and later.
that one snuck by me :-/
convenient, tho, thx!
No tool.
On Sat, Aug 12, 2023 at 02:03:56PM -0400, Viktor Dukhovni via Postfix-users
wrote:
> > checking further
> >
> > grep smtpd_tls main.cf | grep file
> > smtpd_tls_dh1024_param_file=${config_directory}/dh4096.pem
> > smtpd_tls_eckey_file =
> >
On Sat, Aug 12, 2023 at 02:27:14PM -0400, pgnd wrote:
> >> Handshake type: 01 (Client Hello)
> >> Length: 00 00 9c (156)
>
> > One thing I failed to mention is that length of 156 is rather unexpected
> > ...
> > And there's also that mysterious 0x01,0x88 cipher, which is not listed
> > in the
That'd then be the file to analyse:
# tshark -nr /tmp/tls.pcap -V ssl
thx for the ez tutorial
after the key file cleanup,
...
Untrusted TLS connection established from
esa.hc2802-61.iphmx.com[68.232.155.227]: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256
...
This
On Sat, Aug 12, 2023 at 12:53:35PM -0400, Viktor Dukhovni via Postfix-users
wrote:
> > Handshake type: 01 (Client Hello)
> > Length: 00 00 9c (156)
One thing I failed to mention is that length of 156 is rather unexpected
here, because the containing TLS record layer header promised a length
of
On Sat, Aug 12, 2023 at 01:35:11PM -0400, pgnd wrote:
> > https://datatracker.ietf.org/doc/html/rfc7672#section-8.2
>
> I've no idea in this case why aNULL is explicitly ref'd; for my own
> configs I don't call it out, rather stick with the default
See the final comment in this message.
>
On Sat, Aug 12, 2023 at 01:42:04PM -0400, pgnd wrote:
> after the key file cleanup,
>
> ...
> Untrusted TLS connection established from
> esa.hc2802-61.iphmx.com[68.232.155.227]: TLSv1.2 with cipher
> ECDHE-RSA-AES128-GCM-SHA256
> ...
>
> seems, in fact, EC-ready
That's ECDHE key
one'd hope that banks and hospitals might be a bit more up-to-date on their end.
after the key file cleanup,
...
Untrusted TLS connection established from
esa.hc2802-61.iphmx.com[68.232.155.227]: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256
...
seems, in fact, EC-ready
As background, the RELEASE_NOTES for 3.8 mention:...>>
postfix/psint/smtpd[27820]:
esa.hc2802-61.iphmx.com[139.138.32.157]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH:!aNULL"
yep
Which is most of the above, but
On Sat, Aug 12, 2023 at 09:47:57AM -0400, pgnd via Postfix-users wrote:
> postconf mail_version
> mail_version = 3.8.1
As background, the RELEASE_NOTES for 3.8 mention:
- Postfix default settings now exclude the following deprecated or
unused ciphers (SEED, IDEA,
why?
not my own server/config
Can you explain how each of these is better than the Postfix defaults?
all but two _are_ at defaults
postconf -n | grep -i tls | grep -i cipher | sort
@D smtpd_tls_ciphers = medium
@D smtpd_tls_exclude_ciphers =
@D
On Sat, Aug 12, 2023 at 09:47:57AM -0400, pgnd via Postfix-users wrote:
> postconf -n | grep -i tls | grep -i cipher
> smtp_tls_ciphers = medium
> smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP,
> PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA,
On 2023-08-12 at 09:47:57 UTC-0400 (Sat, 12 Aug 2023 09:47:57 -0400)
pgnd via Postfix-users
is rumored to have said:
in
postconf mail_version
mail_version = 3.8.1
i just caught the following TLS error in postfix logs,
2023-08-12T09:33:07.064713-04:00 cmx0024
14 matches
Mail list logo
