Hi, Google Postmaster Tools recently started reporting that my TLS configuration is not properly set up. I don't think anything has changed, but perhaps it was never set up right. Here's what I'm seeing in the logs.
Sep 19 11:26:21 cipher postfix-gmail/smtp[1403397]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.177.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256 Here is my TLS configuration. I'm using SNI maps to deliver the cert depending on one of two domains the user is accessing. The "combined" cert below is the cert and key concatenated together. smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/DigiCertCA.crt smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_chain_files = /var/www/mail.example.com-443/ssl/mail_example_com-2025.key, /var/www/mail.example.com-443/ssl/mail_example_com-combined-2025.crt smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map I'm using TLS with submission on 587 and smtp on 25. Here is the openssl output: $ openssl s_client -connect mail.example.com:587 -starttls smtp -showcerts submission https://pastebin.com/FU2WwAbA smtp https://pastebin.com/2ZLp5dMD Thank you, Alex
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
