Re: Want to Improve SSL/TLS security
Am 01.06.2014 00:14, schrieb Juan Pablo: Afternoon postfix users. I am trying to improve the encrypted connection to my mail server running postfix 2.7.0-1ubuntu0.2 but doing tests with https://starttls.info/ I am getting very low scores (E grade) for a number of reasons despite making what I though were necessary changes *forget* them, they don't understand E-Mail and are too dumb for realize the difference between http/smtp we had this topic repeatly here... *any* encryption in case of opportunistic TLS is more secure than no encryption and by improve you likely force remote machines to fall back to completly unencrypted just seek the list archives, that topic start to get boring
Re: Want to Improve SSL/TLS security
On 2014-05-31 22:34, li...@rhsoft.net wrote: *forget* them, they don't understand E-Mail and are too dumb for realize the difference between http/smtp OK forgetting them. I will be going encrypted connections only soon (yes I realize the consiquences) so I would like to be able to at the very least disable the insecure SSLv2, as I would not want to speak to any host that can do this weak protocol. Is there a reason why the following does not work smtpd_tls_mandatory_protocols = !SSLv2 Also using checktls.com also reports that I have an invalid certificate. Any reason for this?
Re: Want to Improve SSL/TLS security
On Sat, May 31, 2014 at 10:14:58PM +, Juan Pablo wrote: Afternoon postfix users. I am trying to improve the encrypted connection to my mail server running postfix 2.7.0-1ubuntu0.2 but doing tests with https://starttls.info/ I am getting very low scores (E grade) for a number of reasons despite making what I though were necessary changes The scores assigned by that site are bogus. Ignore them. -- Viktor.
Re: Want to Improve SSL/TLS security
On Sat, May 31, 2014 at 10:50:10PM +, Juan Pablo wrote: I will be going encrypted connections only soon (yes I realize the consequences) For inbound submission? To a dedicated upstream relay host? With selected peer systems? so I would like to be able to at the very least disable the insecure SSLv2, as I would not want to speak to any host that can do this weak protocol. Is there a reason why the following does not work smtpd_tls_mandatory_protocols = !SSLv2 What do you mean by does not work? Also using checktls.com also reports that I have an invalid certificate. Any reason for this? It is irrelevant, there is no such thing as an invalid certificate for MTA to MTA SMTP without DANE. -- Viktor.