smtpd_tls_fingerprint_digest with better than sha1 - e.g. sha256 ?
Hi, http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest is a great feature. Is there a plan to offer stronger digest algorithms such as sha256 ? There appear to be some regulators who prefer to go beyond sha1 - see e.g. chapt 2 (p 3) of http://www.bundesnetzagentur.de/cln_1931/DE/Sachgebiete/QES/Veroeffentlichun gen/Algorithmen/algorithmen_node.html (currently 2011_2_AlgoKatpdf.pdf) Regards Ralf
STARTTLS problem with Lotus Domino v8.5.1 - Domino as a client fails to send own certificate
Hi, In our postfix server, we see SSL_accept error from hgrs-mail01.hgrs.tld.dom[161.x.y.z]: 0 Nov 16 08:54:52 postfix2cc/smtpd[18662]: warning: TLS library problem: 18662:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1053:SSL alert number 0: This error message apparently means that the client aborted the handshake just after receiving the server certificate. Details of the TLS handshake incl. pcap wireshark view have been posted to http://www.mail-archive.com/openssl-users@openssl.org/ If anybody is interested, I am happy to bilaterally send the .pcap files for further analysis. One hypothesis is that there is a Lotus Notes Domino bug (LO41163: IMPROPERLY BUILDING CERT CHAIN WHEN FOREIGN HOST PRESENTS JUST LEAF CERT) but the problem continued even when not just the leaf but also the leaf + intermediate or incl. root respectively were sent by the postfix server. So there must also be another problem. Any hints how to do a client certificate authentication TLS-handshake between IBM's v8.51 as the client and postfix/openssl on the server side would be highly appreciated. Many thanks in advance Ralf
RFE: in mysql_table add "%p" for the listener port
Dear list, In our postfix configs, we use multiple queries based on the mysql_table that only differ by the postfix listener port as configured in the master.cf . So as per http://www.postfix.org/mysql_table.5.html if instead of the query containing each a different hard coded ... where port = 2025 or ... where port = 2026 or ... where port = 2027 ... we could have just one query with ... where port = %p So the request is to not only allow for %s, %u, %d, ... but also the new %p that is no longer directly dependent on the "input key". What do you think of this "Request for enhancement"? Ralf -- https://www.privasphere.com/hau...@acm.org
RFE: add an import mechanism to the mysql_table
Dear list, In our postfix configs, we use multiple queries based on the mysql_table from the same DB . So as per http://www.postfix.org/mysql_table.5.html each of the mysql config files contains a hosts = mydbhost.domain.tld user = mydbUser password = myPassword dbname = myDB section before the query. Once any of these parameters needs to be changed, the values need to be changed repetitively for each query. If the query file format would allow for << import=/etc/postfix/mysql/dbConf.cf >> What do you think of this "Request for enhancement"? Ralf
Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l
>> 1) will >> a) smtpd_tls_ask_ccert, >> b) smtpd_tls_wrappermode, >> c) smtpd_use_tls, >> d) smtpd_enforce_tls >> still work with the new openssl 0.9.8l >> http://marc.info/?l=openssl-users&m=125751806022186&w=2 ? > 2) should I upgrade the openssl on the MTA to that version? > > They will break if some REMOTE system wants to renegotiate TLS, using > a protocol that is not supported by the LOCAL TLS implementation. > > Note that it says: "remote system wants to renegotiate". Postfix > does not request renegotiation, as far as I know. Anybody on the list has practical experience - e.g. 4) with MS-Outlook and 5) Thunderbird directly connecting to postfix or 6) MS-Exchange 7) Any of the usual gateway suspects like IronPort, Borderware, ... or does any of them regularly attempt TLS renegotiation? Many thanks for any hints in advance Ralf
