Manuel Bouyer wrote in <zvj6lirepxlce...@antioche.eu.org>: |Hello |I'm facing an issue with postfix+openssl3 which may be critical (depending |on how it can be fixed). | |Now my postfix setup fails to send mails with |Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: \ |error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd\ |/openssl/dist/ssl/statem/statem_lib.c:984: | |>From what I understood, this is the remote certificate which is not \ |>accepted: |openssl 3 deprecated some signature algorithm, which are no longer accepted |with @SECLEVEL=1 (which is the default). |In server's certificate chain all but the last one are signed with |sha384WithRSAEncryption (which should be OK). The last one (the root |certificate) is signed with RSA-SHA1 and I don't think this will change |soon: | 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, \ | CN = A | AA Certificate Services | i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, \ | CN = A | AA Certificate Services | a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1 | v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 \ | 2028 GMT | |So, as far as I understand, we end up with a postfix installation which |can't talk to servers with valid certificates. | |The solution (from google) would be to force @SECLEVEL=0 but I didn't find |a way to do this for postfix. The solutions I've seen were for openvpn or |curl, but nothing about postfix :(
Isn't that just postfix config. Btw *i* have no problem with smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 #SMART The next is usually nice but when using client certificates smtpd_tls_received_header = no smtpd_tls_fingerprint_digest = sha256 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = TLSv1 ^ This works in practice without any noticeable trouble. (But then i again i do not have to make money from that or my customers who must talk to ten year old refrigerators.) # ..otherwise that #smtpd_tls_mandatory_ciphers = high #smtpd_tls_mandatory_exclude_ciphers = # aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, # EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers Ie. This can only be a postfix config issue, no. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)