[pfx] Re: old printer with weak TLS cipher selection
> Have you tries connecting to this server with: > >$ openssl s_client -connect :25 \ >-starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH' > > Seems like determining whether the ciphers could interoperate is the > first step. On Mon, Nov 25, 2024 at 03:29:54PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: works with tls1.3, doesn't work otherwise: On 26.11.24 02:24, Viktor Dukhovni via Postfix-users wrote: Of course, because TLS 1.3 ignores "-ciphers", it does algorithm negotiation very differently. Aha, that explains it, thanks. 00A77BF7:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1605:SSL alert number 40 Ah, so the server refuses these, sending an alert. Now you need to determine why the server is unwilling. > > Alert Message > > Level: Fatal (2) > > Description: Handshake Failure (40) > > That's not useful, without known which party sent the alert. sorry, forgot to say it was server reply to TLS helo. As confirmed by the s_client test. It sure looks like RSA key exchange is disabled in your OpenSSL (unless you've not Postfix settings you have that disable 'kRSA' or CBC ciphers). In which case you'd need to figure out how to reënable it, or build your own OpenSSL to link Postfix with, that is not crippled. To avoid problems with shared library conflicts, you'd need a "shlib_variant". In my builds I add file to the "Configurations" directory of the source tree: I believe I found the problem and it was caused by dehydrated, script to generate Let's Encrypt certificates. - after upgrade to 0.7.0, dehydrated started requesting secp384r1 algorithms, which apparently disabled rsa negotiation after requesting RSA certificate, the client's device succeeded connecting with TLS1.2. It even works with: smtpd_tls_mandatory_ciphers=high and I haven't changed any _cipherlist variiable. Thanks Viktor for assistance -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On Mon, Nov 25, 2024 at 03:29:54PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > > Have you tries connecting to this server with: > > > >$ openssl s_client -connect :25 \ > >-starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH' > > > > Seems like determining whether the ciphers could interoperate is the > > first step. > > works with tls1.3, doesn't work otherwise: Of course, because TLS 1.3 ignores "-ciphers", it does algorithm negotiation very differently. > 00A77BF7:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake > failure:../ssl/record/rec_layer_s3.c:1605:SSL alert number 40 Ah, so the server refuses these, sending an alert. Now you need to determine why the server is unwilling. > I have also tried this from Debian 10 machine without success, it doesn't > understand the "CBC" part The client OS does not matter. > > > Alert Message > > > Level: Fatal (2) > > > Description: Handshake Failure (40) > > > > That's not useful, without known which party sent the alert. > > sorry, forgot to say it was server reply to TLS helo. As confirmed by the s_client test. It sure looks like RSA key exchange is disabled in your OpenSSL (unless you've not Postfix settings you have that disable 'kRSA' or CBC ciphers). In which case you'd need to figure out how to reënable it, or build your own OpenSSL to link Postfix with, that is not crippled. To avoid problems with shared library conflicts, you'd need a "shlib_variant". In my builds I add file to the "Configurations" directory of the source tree: Configurations/99-viktor.conf: my %targets = ( "linux-x86_64-rpk" => { inherit_from => [ "linux-x86_64" ], shlib_variant=> "rpk", }, "BSD-x86_64-rpk" => { inherit_from => [ "BSD-x86_64" ], shlib_variant=> "rpk", }, ); The string "rpk" can be anything else you want, just not already used with another custom OpenSSL build. Then, I run $ ./Configure --prefix=/opt/openssl/3.4 -Wl,-rpath,/opt/openssl/3.4/lib64 linux-x86_64-rpk $ make $ make test # make install_sw # make install_ssldirs to create a build in a non-default location with the non-default SO_NAME variant libraries. I then configure Postfix with: #! /bin/sh PFIX=/opt/postfix OSSL=/opt/openssl/3.4 OSSL_LDFLAGS="-Wl,-R,$OSSL/lib64 -L$OSSL/lib64 -lssl -lcrypto" OSSL_CFLAGS="-I$OSSL/include" make -f Makefile.init dynamicmaps=yes shared=yes pie=yes openssl_path=$OSSL/bin/openssl \ "CCARGS=$OSSL_CFLAGS "'-DNO_NIS -DUSE_SASL_AUTH -I/usr/include/sasl -DHAS_PCRE=2 -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_CDB -DHAS_LMDB' \ "AUXLIBS=$OSSL_LDFLAGS "'-lsasl2 -ldb' \ 'AUXLIBS_CDB=-lcdb' \ 'AUXLIBS_PCRE=-lpcre2-8' \ 'AUXLIBS_LMDB=-llmdb' \ command_directory=$PFIX/sbin \ config_directory=$PFIX/etc \ daemon_directory=$PFIX/libexec \ data_directory=/var/lib/postfix \ mailq_path=$PFIX/sbin/mailq \ newaliases_path=$PFIX/sbin/newaliases \ queue_directory=/var/spool/postfix \ sendmail_path=$PFIX/sbin/sendmail \ shlib_directory=$PFIX/lib64/MAIL_VERSION \ html_directory=no \ manpage_directory=$PFIX/man \ readme_directory=no \ makefiles After running that: $ make # make upgrade # install bin/posttls-finger /opt/postfix/sbin/posttls-finger # install -m 0444 man/man1/posttls-finger.1 /opt/postfix/man/man1/posttls-finger.1 Running that build instead of the vendor's' means tweaking the init or systemd configs accordingly. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On Mon, Nov 25, 2024 at 11:52:07AM +0100, Matus UHLAR - fantomas via Postfix-users wrote: This is Debian 12, postfix 3.7.11 and SSL 3.0.15. On 25.11.24 22:26, Viktor Dukhovni via Postfix-users wrote: Does Debian do anything similar to RedHat's crypto policy? Nothing I know of. The closest to crypto policy was the openssl.conf setting I mentioned before. I can see these ciphers when I fed the command above with contents of tls_medium_cipherlist/tls_high_cipherlist Have you tries connecting to this server with: $ openssl s_client -connect :25 \ -starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH' Seems like determining whether the ciphers could interoperate is the first step. works with tls1.3, doesn't work otherwise: 00A77BF7:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1605:SSL alert number 40 I have also tried this from Debian 10 machine without success, it doesn't understand the "CBC" part Looking back at pcap output: Alert Message Level: Fatal (2) Description: Handshake Failure (40) That's not useful, without known which party sent the alert. sorry, forgot to say it was server reply to TLS helo. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On Mon, Nov 25, 2024 at 11:52:07AM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > This is Debian 12, postfix 3.7.11 and SSL 3.0.15. Does Debian do anything similar to RedHat's crypto policy? > > Note that these ciphers don't enable "forward-secrecy", they use RSA key > > exchange: > > > >$ openssl ciphers -V -stdname -s -tls1_2 -v 'HIGH+AES+kRSA+CBC:@STRENGTH' > > 0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 - > > AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) > >Mac=SHA256 > > 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - > > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) > >Mac=SHA1 > > 0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 - > > AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) > >Mac=SHA256 > > 0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA - > > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) > >Mac=SHA1 > > > > So, my money is on RSA key exchange being disabled in your OpenSSL, > > unless there are other Postfix settings you've not shared that do that. > > I can see these ciphers when I fed the command above with contents of > tls_medium_cipherlist/tls_high_cipherlist Have you tries connecting to this server with: $ openssl s_client -connect :25 \ -starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH' Seems like determining whether the ciphers could interoperate is the first step. > Looking back at pcap output: > > Alert Message > Level: Fatal (2) > Description: Handshake Failure (40) That's not useful, without known which party sent the alert. > Now I am not even sure it's problem of ciphers (don't that error produce > different output?), can this be caused by other property? > > Signature Hash Algorithms (10 algorithms) > Signature Algorithm: rsa_pkcs1_sha256 (0x0401) > Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) > Signature Algorithm: rsa_pkcs1_sha384 (0x0501) > Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) > Signature Algorithm: rsa_pkcs1_sha512 (0x0601) > Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) > Signature Algorithm: rsa_pkcs1_sha1 (0x0201) > Signature Algorithm: SHA1 DSA (0x0202) > Signature Algorithm: ecdsa_sha1 (0x0203) > Signature Algorithm: MD5 RSA (0x0101) Let's avoid random guesses. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On 2024-11-22 at 13:24:33 UTC-0500 (Fri, 22 Nov 2024 19:24:33 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: Now I'm searching for the proper smtpd_tls_exclude_ciphers setting to get at least some, possibly most secure ciphers of those provided in my first mail. smtpd_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES On 22.11.24 18:20, Bill Cole via Postfix-users wrote: If you're up to date with Postfix, you probably do not need to list anything in smtpd_tls_exclude_ciphers. perhaps yes, I have postfix 3.7.11 - IIRC this setting was here to disable weak ciphers in case TLS1.0 is enabled, which is default on 25 with opportunistic encryption Cipher Suites (13 suites) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) On 23.11.24 18:41, Viktor Dukhovni via Postfix-users wrote: These first four should work fine, unless you're using a version of OpenSSL that disabled these, at compile time or runtime, perhaps Redhat/Fedora Crypto policies? This is Debian 12, postfix 3.7.11 and SSL 3.0.15. smtpd_tls_exclude_ciphers is the only place I tried to raise security level for client connections. I have even reenabled TLS1.0 in openssl.cnf according to: https://github.com/openssl/openssl/discussions/22752#discussioncomment-7617584 - this should get used only for client connections so I can run "openssl s_client -tls1" severs like postfix have their own ssl configuration directives. Note that these ciphers don't enable "forward-secrecy", they use RSA key exchange: $ openssl ciphers -V -stdname -s -tls1_2 -v 'HIGH+AES+kRSA+CBC:@STRENGTH' 0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 So, my money is on RSA key exchange being disabled in your OpenSSL, unless there are other Postfix settings you've not shared that do that. I can see these ciphers when I fed the command above with contents of tls_medium_cipherlist/tls_high_cipherlist Looking back at pcap output: Alert Message Level: Fatal (2) Description: Handshake Failure (40) Now I am not even sure it's problem of ciphers (don't that error produce different output?), can this be caused by other property? Signature Hash Algorithms (10 algorithms) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: ecdsa_sha1 (0x0203) Signature Algorithm: MD5 RSA (0x0101) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On Fri, Nov 22, 2024 at 01:09:06PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > Our customer has an old scanner/printer seems to support TLS1.2, but only a > few weak ciphers that are forbidden in out postfix configuration, according > to old discussion in this list: TLS 1.2 is acceptable, and the supported ciphers should overlap with ones you should be willing to support, provided your OpenSSL library is not compiled or configured to turn crypto security up to 11. > smtpd_tls_exclude_ciphers = > MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES The "SRP" and "PSK" exclusions are only there to not clutter the cipherlist, they can't be used without additional configuration, so their exclusion is *cosmetic*. The rest are indeed obsolete, and are excluded by default in recent Postfix versions: $ postconf -d | grep MD5 tls_high_cipherlist = aNULL:-aNULL:HIGH:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:@STRENGTH tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH tls_null_cipherlist = eNULL:!kDH:!kECDH:!aDSS:!MD5:!aNULL But that's not your problem. > According to wireshark input its supported ciphers are: > > Handshake Protocol: Client Hello > Version: TLS 1.2 (0x0303) > > Cipher Suites (13 suites) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) These first four should work fine, unless you're using a version of OpenSSL that disabled these, at compile time or runtime, perhaps Redhat/Fedora Crypto policies? Note that these ciphers don't enable "forward-secrecy", they use RSA key exchange: $ openssl ciphers -V -stdname -s -tls1_2 -v 'HIGH+AES+kRSA+CBC:@STRENGTH' 0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 So, my money is on RSA key exchange being disabled in your OpenSSL, unless there are other Postfix settings you've not shared that do that. > IIUC, as CBC ciphers are unsafe, it would make most sense to allow RC4 on > specialised submission service on different TCP port. No, as correctly noted by Bill Cole, the CBC ciphers are more appropriate in SMTP than is RC4. On Fri, Nov 22, 2024 at 03:12:01PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > so I guess I'll have to exclude SRP or PSK [...] That would be a NOOP, as noted above, just keeps the list tidy, but has no effect on the wire. On Fri, Nov 22, 2024 at 01:01:40PM -0500, Bill Cole via Postfix-users wrote: > > The HTTP-relevant attacks (e.g. BEAST) I am aware of on CBC ciphersuites are > infeasible against SMTP and similar protocols. > > https://marc.info/?l=postfix-users&m=133649211220443&w=2 > https://success.qualys.com/discussions/s/question/0D52L4TntrHSAR/weak-cbc-mode-vulnerability-on-smtp&ved=2ahUKEwjV6r-IwfCJAxULj4kEHV_wJGUQFnoECC4QAQ&usg=AOvVaw3-avte1ZFDupDEI4r7shA1 > https://blog.qualys.com/product-tech/2011/10/17/mitigating-the-beast-attack-on-tls#comment-8481 Thanks for saving me the trouble. On Fri, Nov 22, 2024 at 07:24:33PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > Now I'm searching for the proper smtpd_tls_exclude_ciphers setting to get at > least some, possibly most secure ciphers of those provided in my first mail. Well, nothing you've reported explicitly disables the CBC ciphers, but see above re forward-secrecy and kRSA. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On 2024-11-22 at 13:24:33 UTC-0500 (Fri, 22 Nov 2024 19:24:33 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: [...] Thanks. Now I'm searching for the proper smtpd_tls_exclude_ciphers setting to get at least some, possibly most secure ciphers of those provided in my first mail. If you're up to date with Postfix, you probably do not need to list anything in smtpd_tls_exclude_ciphers. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On 2024-11-22 at 07:09:06 UTC-0500 (Fri, 22 Nov 2024 13:09:06 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: IIUC, as CBC ciphers are unsafe, On 22.11.24 13:01, Bill Cole via Postfix-users wrote: What is your basis for understanding that, in regards to SMTP? Nothing, just remembered there were problems related to CBC mode, without details. These links explain it nicely. The HTTP-relevant attacks (e.g. BEAST) I am aware of on CBC ciphersuites are infeasible against SMTP and similar protocols. https://marc.info/?l=postfix-users&m=133649211220443&w=2 https://success.qualys.com/discussions/s/question/0D52L4TntrHSAR/weak-cbc-mode-vulnerability-on-smtp&ved=2ahUKEwjV6r-IwfCJAxULj4kEHV_wJGUQFnoECC4QAQ&usg=AOvVaw3-avte1ZFDupDEI4r7shA1 https://blog.qualys.com/product-tech/2011/10/17/mitigating-the-beast-attack-on-tls#comment-8481 Thanks. Now I'm searching for the proper smtpd_tls_exclude_ciphers setting to get at least some, possibly most secure ciphers of those provided in my first mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On 2024-11-22 at 07:09:06 UTC-0500 (Fri, 22 Nov 2024 13:09:06 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: IIUC, as CBC ciphers are unsafe, What is your basis for understanding that, in regards to SMTP? The HTTP-relevant attacks (e.g. BEAST) I am aware of on CBC ciphersuites are infeasible against SMTP and similar protocols. https://marc.info/?l=postfix-users&m=133649211220443&w=2 https://success.qualys.com/discussions/s/question/0D52L4TntrHSAR/weak-cbc-mode-vulnerability-on-smtp&ved=2ahUKEwjV6r-IwfCJAxULj4kEHV_wJGUQFnoECC4QAQ&usg=AOvVaw3-avte1ZFDupDEI4r7shA1 https://blog.qualys.com/product-tech/2011/10/17/mitigating-the-beast-attack-on-tls#comment-8481 -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
On Fri, Nov 22, 2024 at 7:51 AM Matthew McGehrin via Postfix-users wrote: > > Hello > > Perhaps just a secondary port without TLS for legacy devices. TLS isn't > required for SMTP. And maybe a separate vlan for printers or legacy devices. > See also: > > https://ciphersuite.info/ > > For looking up various cipher suites. > > > On 11/22/2024 6:09 AM, Matus UHLAR - fantomas via Postfix-users wrote: > > Hello, > Our customer has an old scanner/printer seems to support TLS1.2, but only a > few weak ciphers that are forbidden in out postfix configuration, according > to old discussion in this list: > > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old printer with weak TLS cipher selection
Hello Perhaps just a secondary port without TLS for legacy devices. TLS isn't required for SMTP. See also: https://ciphersuite.info/ For looking up various cipher suites. On 11/22/2024 6:09 AM, Matus UHLAR - fantomas via Postfix-users wrote: > Hello, > Our customer has an old scanner/printer seems to support TLS1.2, but > only a > few weak ciphers that are forbidden in out postfix > configuration, according > to old discussion in this list: > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org