In article <87mtxi8i6b@firsthand.net> you write:
>As far as I know OpenSRS DNS refuses DKIM keys longer than 1024 to this
>day despite my and I expect many others asking and asking and asking ...
>
>If they've changed this do educate me. As they haven't
They haven't. I just checked. Now you
As far as I know OpenSRS DNS refuses DKIM keys longer than 1024 to this
day despite my and I expect many others asking and asking and asking ...
If they've changed this do educate me. As they haven't
Christian
Brandon Long via mailop writes:
> On Thu, Jan 7, 2021 at 5:57 AM Dan Malm via mailop
life is too short sometimes for gaming poor system utilities and then
waiting for an update that breaks your game arbitrarily
Al Iverson via mailop writes:
> On Fri, Jan 8, 2021 at 2:22 AM Brandon Long via mailop
> wrote:
>>
>> We do still allow administrators to create 1024 bit DKIM keys becaus
In article <1f146c09-fe97-bd15-a4d4-a3e8b1c4b...@kooky.org> you write:
>On 08/01/2021 20:07, Joel M Snyder via mailop wrote:
>> And even if there were some HSTS-like way to bind certificates to
>> destination domain names, the lack of an interactive moment for the user
>> to say "yes" or "no" to a
I think this goes back to Jon Postel’s theory of accepting liberally, but
sending strictly.
I.E. If you users or other MTAs and sending you bad or no encryption try to
accept it to get the job done.
If you are sending to other MTAs, try and send with the best possible
encryption at least until
SMTP uses _opportunistic_ encryption. It fails open.*
This has the unfortunate consequence that strengthening the encryption
often means to actually use no encryption at all. ☹
The client mta attempts to negotiate TLS1.2, is unable to and ends up
sending the email in plaintext, when it could have b
On 08/01/2021 20:07, Joel M Snyder via mailop wrote:
And even if there were some HSTS-like way to bind certificates to
destination domain names, the lack of an interactive moment for the user
to say "yes" or "no" to a questionable certificate makes it even worse.
So you don't rate the combo of
> I fully agree. The state of TLS in the mail world is quite sad and it
> would be great if we could all agree on actually keeping our systems up
> to date...
TLS in MUA protocols (IMAP or whatever Microsoft calls MAPI this week)
is fine. Not sad.
TLS in SMTP mail is also not sad; it's fundamen
On Fri, Jan 8, 2021 at 2:22 AM Brandon Long via mailop
wrote:
>
> We do still allow administrators to create 1024 bit DKIM keys because
> when we tried to change it, a large number of admins and the web-based DNS
> admin consoles they used couldn't handle the larger keys. That was years ago,
> th
On Thu, Jan 7, 2021 at 5:57 AM Dan Malm via mailop
wrote:
> On 2021-01-06 20:10, Tim Bray via mailop wrote:
> > My thoughts are `time for mail operators to pull their fingers out and
> > upgrade`. Because we are really saying `upgrade to something less than
> > 8 years old`
>
> I fully agree. T
On 2021-01-07 14:54, Dan Malm via mailop wrote:
> On 2021-01-06 18:36, Brandon Long via mailop wrote:
>> Does the above mean that it will fail DKIM keys less than 2048 will
>> fail? That's likely the larger issue.
> That's a good question. I don't handle any < 2048 bit DKIM keys on any
> Ubuntu
On 2021-01-06 20:10, Tim Bray via mailop wrote:
> My thoughts are `time for mail operators to pull their fingers out and
> upgrade`. Because we are really saying `upgrade to something less than
> 8 years old`
I fully agree. The state of TLS in the mail world is quite sad and it
would be great if
Note that gmail announced dropping support for ssl3/rc4 in 2015 (
https://security.googleblog.com/2015/09/disabling-sslv3-and-rc4.html) and
actually did it in 2016... and the hosts that were using it prior to that
was a small fraction.
Does the above mean that it will fail DKIM keys less than 2048
On 2021-01-06 at 14:23 +0100, Dan Malm via mailop wrote:
> This might have some implications for anyone running a mail server on
> Ubuntu as smtp delivery to recipients with a "legacy" SSL configuration
> will break with SSL errors like for example: "SSL
> routines:tls_process_ske_dhe:dh key too sm
Just my 5 cents:
As a small mail operator (10K mails/day) we disabled ___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
On 06/01/2021 13:23, Dan Malm via mailop wrote:
Just thought I'd spare others some troubleshooting in case you run in to
this, and see if anyone else have any thoughts on it. :)
My thoughts are `time for mail operators to pull their fingers out and
upgrade`. Because we are really saying `upgr
Hi,
Canonical have decided to have decided to ship Ubuntu with a openssl
binary compiled with the seclevel option set to 2 as default:
"Security level set to 112 bits of security. As a result RSA, DSA and DH
keys shorter than 2048 bits and ECC keys shorter than 224 bits are
prohibited. In additio
17 matches
Mail list logo