On Sun, Feb 08, 2015 at 10:41:50PM -0700, LuKreme wrote:
> >> smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
> >
> > Why exclude TLSv1.1 and TLSv1.2? See the documentation.
> > The default is fine, but if you must tweak, exclude just
> > "SSLv2".
> >
> >smtpd_tls_protocols = !SSLv2
> >
> > On
On Feb 7, 2015, at 10:51 PM, Viktor Dukhovni wrote:
> On Sat, Feb 07, 2015 at 10:18:11PM -0700, LuKreme wrote:
>
>> # postconf -n | grep _tls_
>> smtp_tls_security_level = may
>> smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
>
> Fine so far.
>
>> smtpd_tls_ciphers = high
>
> This is too "hi
On Sat, Feb 07, 2015 at 10:18:11PM -0700, LuKreme wrote:
> # postconf -n | grep _tls_
> smtp_tls_security_level = may
> smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
Fine so far.
> smtpd_tls_ciphers = high
This is too "high" for opportunistic TLS. Anything more than
"medium" is too restric
On 07 Feb 2015, at 22:28 , Peter wrote:
> On 02/08/2015 06:18 PM, LuKreme wrote:
>> # openssl s_client -connect 127.0.0.1:993
>
> Port 993 is IMAPS which is not provided by postfix.
Yes, of course. Sorry.
--
Gods don't like people not doing much work. People who aren't busy all
the time might
On 02/08/2015 06:18 PM, LuKreme wrote:
> # openssl s_client -connect 127.0.0.1:993
Port 993 is IMAPS which is not provided by postfix.
Peter
# postconf -n | grep _tls_
smtp_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_ciphers = high
# is smtp_tls_exclude needed?
smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_loglevel = 2
