* Viktor Dukhovni postfix-users@postfix.org:
On Wed, Sep 11, 2013 at 01:26:25PM +0200, Ralf Hildebrandt wrote:
Anyone has tested such server in real life ?
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
I finally got around reading this.
I wonder if it should
On Thu, Sep 12, 2013 at 03:36:30PM +0200, Ralf Hildebrandt wrote:
The blog recommends at least one of smtp[d]_tls_loglevel = 2,
this is unwise except when debugging.
On a low traffic server?
Even on a low traffic server the voluminous TLS logging just obfuscates
the useful content in the
* Frank Bonnet frank.bon...@esiee.fr:
Hello
Anyone has tested such server in real life ?
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
I finally got around reading this.
I wonder if it should be more strict regaring the used ciphers (both
in Postfix and Dovecot), given
On Wed, Sep 11, 2013 at 01:26:25PM +0200, Ralf Hildebrandt wrote:
Anyone has tested such server in real life ?
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
I finally got around reading this.
I wonder if it should be more strict regaring the used ciphers (both
in
On Wed, Sep 11, 2013 at 04:57:01PM +0200, DTNX Postmaster wrote:
SSLv3 is already disabled in Postfix 2.11 when the remote server
is authenticated via DNSSEC DANE TLSA records, because in this case
the Postfix SMTP client needs to send the SNI extension to the
server (just in case the
On Wed, Sep 11, 2013 at 01:26:25PM +0200, Ralf Hildebrandt wrote:
Anyone has tested such server in real life ?
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
I finally got around reading this.
I wonder if it should be more strict regaring the used ciphers (both
in
On Sep 11, 2013, at 16:34, Viktor Dukhovni postfix-us...@dukhovni.org wrote:
On Wed, Sep 11, 2013 at 01:26:25PM +0200, Ralf Hildebrandt wrote:
Anyone has tested such server in real life ?
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
I finally got around reading this.
On Wed, Sep 11, 2013 at 09:12:40PM +0200, DTNX Postmaster wrote:
This is counter-productive. You get TLSv1 whenever the client supports
it, so rejecting SSLv3 at the server does not improve security.
It rejects the systems that only support SSLv3, does it not? Or am I
understanding it
On Sep 11, 2013, at 17:24, Viktor Dukhovni postfix-us...@dukhovni.org wrote:
On Wed, Sep 11, 2013 at 04:57:01PM +0200, DTNX Postmaster wrote:
SSLv3 is already disabled in Postfix 2.11 when the remote server
is authenticated via DNSSEC DANE TLSA records, because in this case
the Postfix SMTP
On Wed, Sep 11, 2013 at 10:03:52PM +0200, DTNX Postmaster wrote:
The odd thing is that both banks drop to RC4-MD5 when sending to
us. I've seen this on another product that we support ourselves as
well; the Postfix client negotiates a higher protocol level and
better cipher for outgoing
On Wed, Sep 11, 2013 at 09:39:57PM +0200, DTNX Postmaster wrote:
This is more reasonable, provided systems you send mail to all
support TLSv1 and up. What fraction of outbound handshakes end up
with SSLv3?
Outbound is an even smaller percentage of total TLS connections
established in
On Sep 11, 2013, at 21:37, Viktor Dukhovni postfix-us...@dukhovni.org wrote:
On Wed, Sep 11, 2013 at 09:12:40PM +0200, DTNX Postmaster wrote:
The reasoning was that accepting SSLv3/RC4-MD5 connections from systems
for which that is apparently the maximum they can support, even today,
On Sep 11, 2013, at 21:52, Viktor Dukhovni postfix-us...@dukhovni.org wrote:
On Wed, Sep 11, 2013 at 09:39:57PM +0200, DTNX Postmaster wrote:
This is more reasonable, provided systems you send mail to all
support TLSv1 and up. What fraction of outbound handshakes end up
with SSLv3?
On Sep 2, 2013, at 23:13, LuKreme krem...@kreme.com wrote:
For servers? Encrypting the drive on a always-on server seems a bit
pointless. Once the machine is up and running, the drive is, as you said,
unencrypted. However, if someone comes in to seize the machines, they will
have to power
Hello
Anyone has tested such server in real life ?
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
Thank you
FWIW, I seen the url and stopped there. there is literally no way to
NSA-proof your email for a number of reasons:
First, email is sent cleartext. Even if you authenticate to send and you
authenticate to receive, it's going through servers cleartext. A tap
before your server is all it would
The only way to nsa proof is to encrypt end to end with pgp.
I run postfix with gpg-mailgate.
All incoming mail is encrypted with that users public key as it comes in
for any mail that is not already encrypted client side using pgp.
Bruce.
--
Please use PGP, ENCRYPT everything.
For
On 9/2/2013 9:35 AM, Bruce Markey wrote:
The only way to nsa proof is to encrypt end to end with pgp.
I run postfix with gpg-mailgate.
All incoming mail is encrypted with that users public key as it comes
in for any mail that is not already encrypted client side using pgp.
This makes sense,
On 2013-09-02 Littlefield, Tyler wrote:
On 9/2/2013 9:35 AM, Bruce Markey wrote:
The only way to nsa proof is to encrypt end to end with pgp.
^^^
I run postfix with gpg-mailgate.
All incoming mail is encrypted with that users public
On Sep 2, 2013, at 17:43, Ansgar Wiechers li...@planetcobalt.net wrote:
On 2013-09-02 Littlefield, Tyler wrote:
On 9/2/2013 9:35 AM, Bruce Markey wrote:
The only way to nsa proof is to encrypt end to end with pgp.
^^^
I run postfix
On 02 Sep 2013, at 07:10 , Littlefield, Tyler ty...@tysdomain.com wrote:
Second, you'll need to encrypt your harddrive, which I doubt this whole blog
covers.
Encrypting your hard drive is trivial, at least in OS X and, I hear, even in
Windows. I suspect it's more difficult in linux/freebsd,
Top-posting this once.
This is obnoxious. Stop it.
On 02 Sep 2013, at 07:35 , Bruce Markey br...@secryption.com wrote:
-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.4.12 (GNU/Linux)
mQINBFIjp+0BEACohL2HkOtWdsFyR+PUltMawCIfXgo4JWYElCLKWSRdwy8H+z2/
Am 02.09.2013 22:55, schrieb LuKreme:
On 02 Sep 2013, at 07:10 , Littlefield, Tyler ty...@tysdomain.com wrote:
Second, you'll need to encrypt your harddrive, which I doubt this whole blog
covers.
Encrypting your hard drive is trivial, at least in OS X and, I hear, even in
Windows.
and
On 02 Sep 2013, at 15:02 , li...@rhsoft.net wrote:
Am 02.09.2013 22:55, schrieb LuKreme:
On 02 Sep 2013, at 07:10 , Littlefield, Tyler ty...@tysdomain.com wrote:
Second, you'll need to encrypt your harddrive, which I doubt this whole
blog covers.
Encrypting your hard drive is
Am 02.09.2013 23:13, schrieb LuKreme:
On 02 Sep 2013, at 15:02 , li...@rhsoft.net wrote:
Am 02.09.2013 22:55, schrieb LuKreme:
On 02 Sep 2013, at 07:10 , Littlefield, Tyler ty...@tysdomain.com wrote:
Second, you'll need to encrypt your harddrive, which I doubt this whole
blog covers.
25 matches
Mail list logo