On 17/6/2022 12:11 pm, raf wrote:
Something like the following should do it (after making
the renewal config changes that Viktor mentioned (or
including them in the command)):
certbot renew --force-renewal --cert-name XXX
Also note that there is a very useful forum for help with
On Wed, Jun 15, 2022 at 11:09:10PM +0530, P V Anthony
wrote:
> Please note, I am still finding how to force renew with the letsencrypt
> certs with the new renewal settings.
Something like the following should do it (after making
the renewal config changes that Viktor mentioned (or
including
On 16/6/2022 8:16 pm, Viktor Dukhovni wrote:
So it is far from clear what you could do to make this client happy.
Perhaps some security middlebox near the client is misbehaving, or its
TLS stack is broken beyond repair. Your best may be to disable STARTTLS
for connections from this client:
On Wed, Jun 15, 2022 at 03:09:16PM -0400, Viktor Dukhovni wrote:
> You can share the PCAP file with me off-list.
Thanks for the PCAP file. An immediate interesting feature is how the
connection is terminated ("tcpdump" output edited to trim excess
detail):
22:32:13.555416 1711 > 25: [S],
On Wed, Jun 15, 2022 at 11:09:10PM +0530, P V Anthony wrote:
> Unfortunately I am not experienced enough to find the problem from the logs.
>
> Any suggests?
>
> Please note, I am still finding how to force renew with the letsencrypt
> certs with the new renewal settings.
>
>
On 15/6/2022 3:08 am, Viktor Dukhovni wrote:
Increasing security is primarily about raising the *ceiling*, and rarely
about raising not floor. When you set the bar too high, instead of
greater security, mail is sent in the clear or not at all.
Got better logs for the ariba.com problem. The
On 15/6/2022 3:08 am, Viktor Dukhovni wrote:
Increasing security is primarily about raising the *ceiling*, and rarely
about raising not floor. When you set the bar too high, instead of
greater security, mail is sent in the clear or not at all.
On Wed, Jun 15, 2022 at 12:33:52AM +0200, Steffen Nurpmeso wrote:
> Viktor Dukhovni wrote in
> :
> |On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> |> On 13/6/2022 4:31 pm, Wietse Venema wrote:
> ...
> |Two comments on your server setup:
> |
> |* The server certificate
Viktor Dukhovni wrote in
:
|On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
|> On 13/6/2022 4:31 pm, Wietse Venema wrote:
...
|Two comments on your server setup:
|
|* The server certificate is 4096 bit RSA. This is needlessly turgid.
The FreeBSD handbook recommendet 4096
On Tue, Jun 14, 2022 at 05:51:17PM -0400, Dan Mahoney wrote:
> Postfix has sane defaults as long as you run a fairly recent version,
> and the developers have clue. Not all apps have sane defaults (for
> example, I could see the need to configure default SSL configs with
> Sendmail).
Even when
> On Jun 14, 2022, at 5:30 PM, P V Anthony wrote:
>
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
>> The simplest configuration is therefore to just leave the parameter
>> unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I have made
On Wed, Jun 15, 2022 at 03:00:58AM +0530, P V Anthony wrote:
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
> > The simplest configuration is therefore to just leave the parameter
> > unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I
On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
The simplest configuration is therefore to just leave the parameter
unset, the default value will be sensible.
I have just commented out smtpd_tls_dh1024_param_file
I have made so much of mistakes trying to increase security.
Talk about bobo on
On Wed, Jun 15, 2022 at 01:45:36AM +0530, P V Anthony wrote:
> smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
Also, this appears to be a 4096-bit DH key, again much too turgid. Use
2048 bits instead:
https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
On 15/6/2022 2:33 am, Viktor Dukhovni wrote:
Actually, don't. I meant "2".
Ok. I have just changed it to "2".
Thank you for being patient.
P.V.Anthony
On Wed, Jun 15, 2022 at 01:46:49AM +0530, P V Anthony wrote:
> On 15/6/2022 1:32 am, Viktor Dukhovni wrote:
>
> > You may need to temporarily raise the TLS log level to "2".
> >
> > smtpd_tls_loglevel = 2
>
> Just did smtpd_tls_loglevel = 3 just to be sure.
Actually, don't. I meant "2".
On 15/6/2022 2:16 am, Viktor Dukhovni wrote:
Either add the option:
--preferred-chain "ISRG Root X1"
to your cron job running "certbot renew", or else add the following to
configuration under
/etc/letsencrypt/renewal/,
preferred_chain = ISRG Root X1
Wow!!!
Thank you very much
On 15/6/2022 2:20 am, Viktor Dukhovni wrote:
For this, in the renewal configuration file:
rsa_key_size = 2048
or on the command-line:
--rsa-key-size=2048
Thank you very very very much for helping. I really do appreciate it
very very very much.
This advice has saved me a lot of
On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
>
> > Two comments on your server setup:
> >
> > * The server certificate is 4096 bit RSA. This is needlessly turgid.
> >The issuing CA is 2048 bits, there is little to gain
On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote:
> > * The "Let's Encrypt CA" chain is configured for compatibility with
> > legacy Android systems that trust the expired "DST" root CA:
> >
> > subject=CN = prometheus.mindmedia.com.sg
> > issuer=C = US, O = Let's Encrypt, CN
On 15/6/2022 1:45 am, Viktor Dukhovni wrote:
Two comments on your server setup:
* The server certificate is 4096 bit RSA. This is needlessly turgid.
The issuing CA is 2048 bits, there is little to gain from a
stronger EE key. Some peer libraries may not support keys of
On 15/6/2022 1:32 am, Viktor Dukhovni wrote:
You may need to temporarily raise the TLS log level to "2".
smtpd_tls_loglevel = 2
Just did smtpd_tls_loglevel = 3 just to be sure.
This is unfortunately going to apply to all remote clients, not just
"ariba".
Noted.
P.V.Anthony
On 15/6/2022 12:38 am, Wietse Venema wrote:
What is the output from:
# postconf -nf | grep tls | grep -v smtp_
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 3
On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming
On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming
P V Anthony:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming in.
>
> Here are the logs. Is there any other
On 13/6/2022 4:31 pm, Wietse Venema wrote:
Delete the TLS protocol and cipher crap, and see if that solves
the problem.
I am sad to report, even after removing the bad configs, the ariba
emails are still not coming in.
Here are the logs. Is there any other thing I can do?
--
On 13/6/2022 5:04 pm, Viktor Dukhovni wrote:
Well, it is certainly not recommended in the Postfix documentation.
Various OpenSSL cipher recommendations on the Internet are generally
a bad idea. So sure, "crap".
Thank you very much, Wietse and Viktor, for taking the time to reply and
On Mon, Jun 13, 2022 at 04:57:27PM +0530, P V Anthony wrote:
>
> Haha! Oh no! I must have made such a big mistake for it to be called
> crap. Haha!
Well, it is certainly not recommended in the Postfix documentation.
Various OpenSSL cipher recommendations on the Internet are generally
a bad
On 13/6/2022 4:31 pm, Wietse Venema wrote:
Delete the TLS protocol and cipher crap, and see if that solves
the problem.
Thank you very much for replying and helping.
Haha! Oh no! I must have made such a big mistake for it to be called
crap. Haha!
Just to confirm, are these to be deleted?
P V Anthony:
> Hi,
>
> Having problems with purchase order emails from ariba.com systems.
>
> Has anyone experienced this similar issue with ariba.com?
>
> Here are the logs from our side.
Delete the TLS protocol and cipher crap, and see if that solves
the problem.
Wietse
Hi,
Having problems with purchase order emails from ariba.com systems.
Has anyone experienced this similar issue with ariba.com?
Here are the logs from our side.
-- start
Jun 13 15:13:22 mail postfix/smtpd[4153705]: connect from
32 matches
Mail list logo
