Leonardo Rodrigues schrieb am 21.07.20 um 08:44:21
Uhr:
> Em 20/07/2020 22:44, Viktor Dukhovni escreveu:
> > If CentOS 8 requires a default floor of TLS 1.2, and have not patched
> > Postfix to relax that system-default constraint, then you're stuck
> > with TLS >= 1.2 until a suitable work-arou
Em 22/07/2020 12:45, Viktor Dukhovni escreveu:
The plan is to soon not require Postfix users to go down that particular
rabbit hole. Instead Postfix will disable any TLS protocol lower/upper
bounds inherited from system policy, and apply its own, based on
whichever of:
lmtp_tls_protocols,
On Wed, Jul 22, 2020 at 11:11:27AM -0400, Xavier Belanger wrote:
> It is, the idea is to define exception in the system crypto policy
> used by the system. There is multiple ways to do this:
>
> [
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening
Hi,
Kris Deugau wrote:
> It should be possible to set options like this in /etc somewhere, which
> shouldn't be overwritten on package upgrades. I'm not sure where
> CentOS/RHEL/Fedora have put the relevant OpenSSL configuration recently,
> but on Debian and derivatives this can be set in /e
Xavier Belanger wrote:
Hi,
Leonardo Rodrigues wrote:
You nailed it, Viktor and Xavier, it was the default system-wide
setup on the CentOS 8 OS from file
/usr/share/crypto-policies/DEFAULT/opensslcnf.txt
setting MinProtocol to TLSv1 there did the trick.
Thank you guys!
On 22/07/20 9:02 am, Xavier Belanger wrote:
Hi,
Leonardo Rodrigues wrote:
You nailed it, Viktor and Xavier, it was the default system-wide
setup on the CentOS 8 OS from file
/usr/share/crypto-policies/DEFAULT/opensslcnf.txt
setting MinProtocol to TLSv1 there did the trick.
>Xavier Belanger:
> One piece of advice: [opensslcnf.txt] may be considered as a "system
> file" and could be overwritten in the future by some CentOS update.
> Make sure to document that change and to keep an eye of that file;
> or to define your own policy (custom policies are not overwritten).
Hi,
Leonardo Rodrigues wrote:
> You nailed it, Viktor and Xavier, it was the default system-wide
> setup on the CentOS 8 OS from file
>
> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt
>
> setting MinProtocol to TLSv1 there did the trick.
>
> Thank you guys!
You're welcom
Em 20/07/2020 22:44, Viktor Dukhovni escreveu:
If CentOS 8 requires a default floor of TLS 1.2, and have not patched
Postfix to relax that system-default constraint, then you're stuck
with TLS >= 1.2 until a suitable work-around is made available in
their Postfix package.
You nailed it, Vi
Hi,
> I'm setting up a new postfix 3.5.4 server on a Centos 8 box and,
> no matter what config i make, i can't get TLSv1 (yes, sorry, need to
> support some old clients until the end of the year) support to work.
I have been working with Red Hat Enterprise Linux 8 and very likely
CentOS is
On Mon, Jul 20, 2020 at 09:51:38PM -0300, Leonardo Rodrigues wrote:
> I have already tweaked smtpd_tls_mandatory_protocols and
> smtpd_tls_protocols to "!SSLv2, !SSLv3" but TLSv1 simply doesn't work.
Postfix does not set a minimum TLS protocol version, it just disables
the versions specified wit
Hello Everyone,
I'm setting up a new postfix 3.5.4 server on a Centos 8 box and, no
matter what config i make, i can't get TLSv1 (yes, sorry, need to
support some old clients until the end of the year) support to work.
I have already tweaked smtpd_tls_mandatory_protocols and
sm
12 matches
Mail list logo