Hi :-)
These days where the NSA is watching us I decided to make my server as
secure as possible.
For qmail it means to use TLS with strong encryption - openssl with "-
ciphers "EDHS:DE" for example.
The original QMAIL without spamdyke works fine:
openssl s_client -starttls smtp -connect localhos
Hmmm... I think you may be beyond the edge of my expertise, but I'll certainly
try to help if I can. spamdyke uses the OpenSSL library to handle SSL and TLS,
so anything that works with OpenSSL on the command line should work with
spamdyke as well. The option "tls-cipher-list" serves the same
Hi Sam,
is it possible that the problem is because of missing "dh keys"?
I think (!) spamdyke don't use or call something like this here:
http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read the
'notes' part
so cipher with EDHE:DE won't work.
My server/openssl is fine because t
Looking forward to the Update :-)
2013/9/10 Sam Clippinger
> I think you're exactly right -- I'll need to add another TLS option to
> spamdyke to accept the DH parameters and pass them to OpenSSL with the
> callback. I'll have to figure out how to test it as well...
>
> Thanks for finding that
I think you're exactly right -- I'll need to add another TLS option to spamdyke
to accept the DH parameters and pass them to OpenSSL with the callback. I'll
have to figure out how to test it as well...
Thanks for finding that link, I don't think I would have even looked at a
function with "tmp
Just for the records:
With Version 5.0.0 and the new option "tls-dhparams-file" everything works
great, TLS uses the strong cipher suites now!
Thank you :-)
2013-09-10 Marc Gregel :
> Looking forward to the Update :-)
>
>
> 2013/9/10 Sam Clippinger
>
>> I think you're exactly right -- I'll need
Marc (& Sam),
Would you please elaborate a little on this? I'm trying to straighten
things up on QMail-Toaster and could use a little help. I'm far from an
openssl expert, but I'm learning. ;)
The qmail TLS patch that's presently in place (Frederik Vermeulen -
qmail-tls 20060104 http://inoa.ne
I posted that just a *little* too early. Here the answer to my previous
questions:
http://openssl.6102.n7.nabble.com/Size-of-ephemeral-DH-keys-td15181.html
Sam, the post scripts still apply.
On 03/28/2014 11:47 AM, Eric Shubert wrote:
> P.S. Sam, the documentation refers to "openssl dhparams". S
On 02/05/2014 06:34 AM, Marc Gregel wrote:
> Just for the records:
> With Version 5.0.0 and the new option "tls-dhparams-file" everything
> works great, TLS uses the strong cipher suites now!
> Thank you :-)
Marc,
What key length are you using in your dhparams file?
--
-Eric 'shubes'
_
On 3/28/2014 12:47 PM, Eric Shubert wrote:
I'm also wondering, should 2048 and 4096 key lengths also be included?
As of January 1, 2014 key lengths of 1024 are not to be allowed for
new installations going forward. Newly issued certs have to be for a
minimum of 2048 bit keys.
Eric,
at the moment I use the same file the "normal" qmail installation use.
spamdyke.conf:
tls-dhparams-file=/var/qmail/control/dh1024.pem
2014-03-28 20:08 GMT+01:00 Eric Shubert :
> On 02/05/2014 06:34 AM, Marc Gregel wrote:
> > Just for the records:
> > With Version 5.0.0 and the new option
That should no doubt work, but it doesn't appear to be ideal for current
use. While I think BC is referring to signed certs, what we're referring
to here is the key exchange portion of the ciphers used with SSL. My
(somewhat limited) understanding is that they use related technology,
but their
I'm really sorry I haven't been able to get to spamdyke issues lately, let me
see if I can catch up...
I'll update the docs, thanks for the tip!
As for how the key size of the DH key relates to well, anything at all, I
honestly have no idea. The OpenSSL documentation is extremely frustrating t
13 matches
Mail list logo