On 15/6/2022 3:08 am, Viktor Dukhovni wrote:
Increasing security is primarily about raising the *ceiling*, and rarely
about raising not floor. When you set the bar too high, instead of
greater security, mail is sent in the clear or not at all.
On Wed, Jun 15, 2022 at 12:33:52AM +0200, Steffen Nurpmeso wrote:
> Viktor Dukhovni wrote in
> :
> |On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> |> On 13/6/2022 4:31 pm, Wietse Venema wrote:
> ...
> |Two comments on your server setup:
> |
> |* The server certificate
Viktor Dukhovni wrote in
:
|On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
|> On 13/6/2022 4:31 pm, Wietse Venema wrote:
...
|Two comments on your server setup:
|
|* The server certificate is 4096 bit RSA. This is needlessly turgid.
The FreeBSD handbook recommendet 4096
On Tue, Jun 14, 2022 at 05:51:17PM -0400, Dan Mahoney wrote:
> Postfix has sane defaults as long as you run a fairly recent version,
> and the developers have clue. Not all apps have sane defaults (for
> example, I could see the need to configure default SSL configs with
> Sendmail).
Even when
> On Jun 14, 2022, at 5:30 PM, P V Anthony wrote:
>
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
>> The simplest configuration is therefore to just leave the parameter
>> unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I have made
On Wed, Jun 15, 2022 at 03:00:58AM +0530, P V Anthony wrote:
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
> > The simplest configuration is therefore to just leave the parameter
> > unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I
On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
The simplest configuration is therefore to just leave the parameter
unset, the default value will be sensible.
I have just commented out smtpd_tls_dh1024_param_file
I have made so much of mistakes trying to increase security.
Talk about bobo on
On Wed, Jun 15, 2022 at 01:45:36AM +0530, P V Anthony wrote:
> smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
Also, this appears to be a 4096-bit DH key, again much too turgid. Use
2048 bits instead:
https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
On 15/6/2022 2:33 am, Viktor Dukhovni wrote:
Actually, don't. I meant "2".
Ok. I have just changed it to "2".
Thank you for being patient.
P.V.Anthony
On Wed, Jun 15, 2022 at 01:46:49AM +0530, P V Anthony wrote:
> On 15/6/2022 1:32 am, Viktor Dukhovni wrote:
>
> > You may need to temporarily raise the TLS log level to "2".
> >
> > smtpd_tls_loglevel = 2
>
> Just did smtpd_tls_loglevel = 3 just to be sure.
Actually, don't. I meant "2".
On 15/6/2022 2:16 am, Viktor Dukhovni wrote:
Either add the option:
--preferred-chain "ISRG Root X1"
to your cron job running "certbot renew", or else add the following to
configuration under
/etc/letsencrypt/renewal/,
preferred_chain = ISRG Root X1
Wow!!!
Thank you very much
On 15/6/2022 2:20 am, Viktor Dukhovni wrote:
For this, in the renewal configuration file:
rsa_key_size = 2048
or on the command-line:
--rsa-key-size=2048
Thank you very very very much for helping. I really do appreciate it
very very very much.
This advice has saved me a lot of
On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
>
> > Two comments on your server setup:
> >
> > * The server certificate is 4096 bit RSA. This is needlessly turgid.
> >The issuing CA is 2048 bits, there is little to gain
On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> > * The "Let's Encrypt CA" chain is configured for compatibility with
> > legacy Android systems that trust the expired "DST" root CA:
> >
> > subject=CN = prometheus.mindmedia.com.sg
> > issuer=C = US, O = Let's Encrypt, CN
On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
Two comments on your server setup:
* The server certificate is 4096 bit RSA. This is needlessly turgid.
The issuing CA is 2048 bits, there is little to gain from a
stronger EE key. Some peer libraries may not support keys of
On 15/6/2022 1:32 am, Viktor Dukhovni wrote:
You may need to temporarily raise the TLS log level to "2".
smtpd_tls_loglevel = 2
Just did smtpd_tls_loglevel = 3 just to be sure.
This is unfortunately going to apply to all remote clients, not just
"ariba".
Noted.
P.V.Anthony
On 15/6/2022 12:38 am, Wietse Venema wrote:
What is the output from:
# postconf -nf | grep tls | grep -v smtp_
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 3
On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming
On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming
P V Anthony:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming in.
>
> Here are the logs. Is there any other
On 13/6/2022 4:31 pm, Wietse Venema wrote:
Delete the TLS protocol and cipher crap, and see if that solves
the problem.
I am sad to report, even after removing the bad configs, the ariba
emails are still not coming in.
Here are the logs. Is there any other thing I can do?
--
On Tue, Jun 14, 2022 at 04:57:49PM +0200, Yves-Marie Le Pors Chauvel wrote:
> ==
> #service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)#
>
On 14.06.22 16:57, Yves-Marie Le Pors Chauvel wrote:
Using Postfix 3.5.6, only one IP per postfix instance, I have an issue with
a specific Mailbox Provider limiting to 3 ingoing connections per IP.
==#
service type
Yves-Marie Le Pors Chauvel:
> Is there a way to implement a delay between connection closing and
> reopening for a specific transport in Postfix, while still using connection
> reuse ?
No, you can't. When email volume drops, the Postfix SMTP client
will not try to reuse a connection even if there
On 6/10/22 08:55, Gerben Wierda wrote:
>
>> On 10 Jun 2022, at 13:17, Wietse Venema wrote:
>>
>> Wietse Venema:
>>> Gerben Wierda:
> On 10 Jun 2022, at 02:30, Wietse Venema wrote:
>
> Gerben Wierda:
>> What is happening here? (mail is delivered, I?m just curious)
>>
Hi there,
Using Postfix 3.5.6, only one IP per postfix instance, I have an issue with
a specific Mailbox Provider limiting to 3 ingoing connections per IP.
Here is my setup for this Mailbox Provider for outgoing connections to this
provider :
In master.cf :
*#
26 matches
Mail list logo
