> On Mar 13, 2018, at 10:53 AM, L.P.H. van Belle <be...@bazuin.nl> wrote: > > Yes, i've set smtpd_tls_ask_ccert to yes.
You almost certainly don't need this. > Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must > be a miss on my side after the switch from 2.10 to 3.1 postfix. "Verified" is not possible with smtpd(8). "Trusted" could happen when the client certificate is signed by a trusted CA: http://www.postfix.org/FORWARD_SECRECY_README.html#status but, typically, you should not be requesting client certificates that serve no purpose. > I need ssl verification Not for incoming traffic, there just supporting STARTTLS is all you need. > smtpd_starttls_timeout = 300s Don't duplicate default settings. > smtpd_use_tls=yes > smtpd_enforce_tls = no These are obsolete > smtpd_tls_ask_ccert = yes > smtpd_tls_ccert_verifydepth = 2 You don't need these. I see no evidence of any meaningful use of client certs. At least not on port 25 via main.cf. > smtpd_tls_always_issue_session_ids = no This is the default. > smtpd_tls_received_header = yes Second time this is set. > smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer It is much better to have all the required intermediates in your certfile, and leave this field empty. > smtpd_tls_ciphers = high This is unwise, the (default in supported releases) "medium" is better, see: https://tools.ietf.org/html/rfc7435 > smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, > DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES This too is unwise. Remove this setting. > # Enable EECDH key exchange for Forward Security > smtpd_tls_eecdh_grade=ultra With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far better off with the default of "auto". http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade -- -- Viktor.
