On Wed, Dec 23, 2009 at 10:53:41AM +0100, Josep M. wrote: > I have designed my own scripts for curiosity, for test saslauthd and > Postfix AUTH plain and login in both ports, and also test the ciphers in > Postfix.
Your curiousity exceeds your skill to interpret the results. > Always fail, in both ports 25 and 587: > > DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 > RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 > DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 > All others ciphers run ok in both ports 25 and 587..Should I disable > these three ciphers in Postfix? Do I need install any other package? > There is something broken? No need. Postfix makes cipher settings easy for non-experts, by hiding cipher-list details in advanced configuration parameters, and exposing a simpler "cipher-grade" interface. If you stick to the "export", "low", "medium", "high" abstraction, you will stay out of trouble. > The errors are all as this: > > ./102-mail-smtp-test-starttls-p25-plain.sh CIPHER..: RC2-CBC-MD5 TEST > FAILED > > > command: openssl s_client -cipher RC2-CBC-MD5 -starttls smtp -crlf > -connect localhost:25 2>&1 You forgot to specify "-ssl2" on the command-line, and got a v3 handshake with a v2-only cipher-list. This does not happen in practice. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.