On Sat, Nov 23, 2013 at 10:42:23PM +, Viktor Dukhovni wrote:
> for askcc in smtpd_ask_ccert smtpd_req_ccert
Make that:
for askcc in smtpd_tls_ask_ccert smtpd_tls_req_ccert
--
Viktor.
On Sat, Nov 23, 2013 at 11:08:56PM +0100, Andreas Schulze wrote:
> >For bonus points, you could look at "smtpd_tls_askccert" and
> >"smtpd_tls_req_ccert". If either is set to "yes", append ':!aNULL'
> >to the raw openssl cipher list.
>
> could you please tell more about that?
Not much more to t
Zitat von Viktor Dukhovni :
For bonus points, you could look at "smtpd_tls_askccert" and
"smtpd_tls_req_ccert". If either is set to "yes", append ':!aNULL'
to the raw openssl cipher list.
could you please tell more about that?
Andreas
On Sat, Nov 23, 2013 at 10:40:05PM +0100, Andreas Schulze wrote:
> But when I disable RC4 in smtpd_tls_exclude_ciphers (I assume) it's
> also not used when I enforce encrypt mode !? This script don't say so.
Yes, you're right, the script did not cover that case accurately,
the code from smtpd(8)
Zitat von Viktor Dukhovni :
With smtpd(8) there are no implicit exclusions so you can build the
full list yourself if you want. For example with opportunistic TLS
(may):
$ server_ciphers() {
local use skip ciphers exclude e
case $1 in
may)
use="tls_exp
On Fri, Nov 08, 2013 at 01:17:54AM +, Viktor Dukhovni wrote:
> With smtpd(8) there are no implicit exclusions so you can build the
> full list yourself if you want. For example with opportunistic TLS
> (may):
One minor correction, with either of:
smtpd_tls_ask_ccert = yes
sm
thank you very much for all that informations
i will add this message to my documentation archive and have a look
how hard it is really needed to tweak here - also saw consumer grade
routers breaking TLS until restart them
somehow i do not expect that Outllok 2010 on Windows 8 has more problems
t
On Fri, Nov 08, 2013 at 01:05:33AM +0100, li...@rhsoft.net wrote:
> >>> Note that Postfix will still apply implicit and configured exclusions
> >>> to these based on context (!aNULL when verifying peer certificates)
> >
> > READ THE ABOVE "Note" carefully. The exclusions are applied on
> > top o
Am 08.11.2013 00:50, schrieb Viktor Dukhovni:
> On Fri, Nov 08, 2013 at 12:27:13AM +0100, li...@rhsoft.net wrote:
>
>>> If you MUST muck around with raw OpenSSL cipherlists, the underlying
>>>
>>> tls__cipherlist
>>>
>>> parameters are present and documented, along with appropriate
>>> warning
On Fri, Nov 08, 2013 at 12:27:13AM +0100, li...@rhsoft.net wrote:
> > If you MUST muck around with raw OpenSSL cipherlists, the underlying
> >
> > tls__cipherlist
> >
> > parameters are present and documented, along with appropriate
> > warnings to not go there.
> >
> > Note that Postfix wil
thank you for your feedback
Am 07.11.2013 23:45, schrieb Viktor Dukhovni:
> Postfix provides a more natural user interface in terms of cipher
> grades (null, export, low, medium, high). These have sensibly easy
> to reason about security properties.
>
> I've seen many subtle and not so-subtle er
On Thu, Nov 07, 2013 at 11:31:03PM +0100, li...@rhsoft.net wrote:
> http://www.postfix.org/TLS_README.html#server_tls
>
> Am I overlooking something or is it not possible to list explicit
> offered ciphers and their order like dovecot/httpd for smtpd?
Postfix provides a more natural user interfa
Hi
http://www.postfix.org/TLS_README.html#server_tls
am i overlooking something or is it not possible to list explcit
offered ciphers and their order like dovecot/httpd fro smtpd?
i am speaking here about non-MX servers only for submission
what i most appreciate in this way of configuration is
o
13 matches
Mail list logo
