tech-crypto archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: openssl3+postfix issue (ca md too weak)
On Mon, Nov 13, 2023 at 10:58:38PM +0100, Steffen Nurpmeso wrote:
> Manuel Bouyer wrote in
> <ZVKXHU06IovpfKIt%antioche.eu.org@localhost>:
> |On Mon, Nov 13, 2023 at 10:24:56PM +0100, Steffen Nurpmeso wrote:
> |> Manuel Bouyer wrote in
> |> <ZVJ6LIrEPxlCEbNB%antioche.eu.org@localhost>:
> |>|Hello
> |>|I'm facing an issue with postfix+openssl3 which may be critical (dependi\
> |>|ng
> |>|on how it can be fixed).
> |>|
> |>|Now my postfix setup fails to send mails with
> ...
> |>|>From what I understood, this is the remote certificate which is not \
> |>|>accepted:
> |>|openssl 3 deprecated some signature algorithm, which are no longer \
> |>|accepted
> ...
> |> Isn't that just postfix config.
> |
> |It's possible; but I didn't find anything relevant in the postfix docs
> |
> |> Btw *i* have no problem with
> |>
> |> smtpd_tls_ask_ccert = no
> |> smtpd_tls_auth_only = yes
> |> smtpd_tls_loglevel = 1
> |> #SMART The next is usually nice but when using client certificates
> |> smtpd_tls_received_header = no
> |> smtpd_tls_fingerprint_digest = sha256
> |> smtpd_tls_mandatory_protocols = >=TLSv1.2
> |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
> |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
> |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
> |> smtpd_tls_mandatory_ciphers = high
> |> smtpd_tls_mandatory_exclude_ciphers = TLSv1
> |>
> |> ^ This works in practice without any noticeable trouble.
> |> (But then i again i do not have to make money from that or my
> |> customers who must talk to ten year old refrigerators.)
> |
> |this is only server-side configuration; my problem is with client-side
> |rejecting the server's certificate
>
> Well i have
>
> #SMART comment out next
> smtp_tls_security_level = may
I have
smtp_tls_security_level = verify
and this is what I need because a username/passwd is sent as part of
the smtp transaction
> # To always go directly SMTPS/SUBMISSIONS
> #smtp_tls_wrappermode = yes
> smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
> smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
> smtp_tls_protocols = $smtpd_tls_protocols
> #SMART When only relaying to smarthost, the next should be =high _or_better_!
> smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
> smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
> smtp_tls_ciphers = $smtpd_tls_ciphers
> smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
> smtp_tls_connection_reuse = yes
>
> But if you have a problem with only one permanent remote partner
In my config I have 2 possible relays (depending on the from of the email)
and both shows the same problem (yet with different certificates signed by
different CAs).
> you surely want a dedicated map for that one.
No, I need a strong encrypted connection
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
Home |
Main Index |
Thread Index |
Old Index