On Wed, Dec 23, 2009 at 10:53:41AM +0100, Josep M. wrote:
> I have designed my own scripts for curiosity, for test saslauthd and
> Postfix AUTH plain and login in both ports, and also test the ciphers in
> Postfix.
Your curiousity exceeds your skill to interpret the results.
> Always fail, in both ports 25 and 587:
>
> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
> DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
> All others ciphers run ok in both ports 25 and 587..Should I disable
> these three ciphers in Postfix? Do I need install any other package?
> There is something broken?
No need. Postfix makes cipher settings easy for non-experts, by hiding
cipher-list details in advanced configuration parameters, and exposing
a simpler "cipher-grade" interface. If you stick to the "export", "low",
"medium", "high" abstraction, you will stay out of trouble.
> The errors are all as this:
>
> ./102-mail-smtp-test-starttls-p25-plain.sh CIPHER..: RC2-CBC-MD5 TEST
> FAILED
>
>
> command: openssl s_client -cipher RC2-CBC-MD5 -starttls smtp -crlf
> -connect localhost:25 2>&1
You forgot to specify "-ssl2" on the command-line, and got a v3 handshake
with a v2-only cipher-list. This does not happen in practice.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
