Loading ...
Sorry, an error occurred while loading the content.

Exim, DH, GnuTLS & interop fix with older mail clients

Expand Messages
  • Robert Schetterer
    Hi, after configure Viktor Dukhovnis workaround like http://marc.info/?l=postfix-users&m=137824308215202&w=2 ... openssl dhparam -out dh2048.pem 2048 #
    Message 1 of 5 , Sep 6, 2013
    • 0 Attachment
      Hi, after configure Viktor Dukhovnis workaround

      like

      http://marc.info/?l=postfix-users&m=137824308215202&w=2

      ...
      openssl dhparam -out dh2048.pem 2048
      # postconf -e 'smtpd_tls_dh1024_param_file =
      ${config_directory}/dh2048.pem'
      ...

      i had some report from one customer with netscape 7 ( very old mail
      client ) that he cant connect anymore via port 465 by ssl failures
      which i can see in the logs too


      does this sound plausible ?


      Best Regards
      MfG Robert Schetterer

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Florian Kirstein
    • Wietse Venema
      ... There should be no need to use this on the submission/smtps service ports. The workaround is primarily for Debian Exim, i.e. MTA (port 25) service. Wietse
      Message 2 of 5 , Sep 7, 2013
      • 0 Attachment
        Robert Schetterer:
        > Hi, after configure Viktor Dukhovnis workaround
        >
        > like
        >
        > http://marc.info/?l=postfix-users&m=137824308215202&w=2
        >
        > ...
        > openssl dhparam -out dh2048.pem 2048
        > # postconf -e 'smtpd_tls_dh1024_param_file =
        > ${config_directory}/dh2048.pem'
        > ...
        >
        > i had some report from one customer with netscape 7 ( very old mail
        > client ) that he cant connect anymore via port 465 by ssl failures
        > which i can see in the logs too
        >
        >
        > does this sound plausible ?

        There should be no need to use this on the submission/smtps service
        ports. The workaround is primarily for Debian Exim, i.e. MTA (port
        25) service.

        Wietse
      • Viktor Dukhovni
        ... Definitely. Ancient software may not be able to handle 2048-bit EDH. Fortunately, as Wietse points out, there is a simple work-around, deploy a different
        Message 3 of 5 , Sep 7, 2013
        • 0 Attachment
          On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:

          > # openssl dhparam -out dh2048.pem 2048
          > # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
          > ...
          >
          > I had some report from one customer with netscape 7 ( very old mail
          > client ) that he cant connect anymore via port 465 by ssl failures
          > which i can see in the logs too
          >
          > does this sound plausible?

          Definitely. Ancient software may not be able to handle 2048-bit EDH.
          Fortunately, as Wietse points out, there is a simple work-around,
          deploy a different dhparam file on ports 465 and 587.

          # openssl dhparam -out dh1024.pem 1024
          # postconf -e 'submission_tls_dh1024_param_file = ${config_directory}/dh1024.pem'

          Then in master.cf:

          465 inet n ... smtpd
          -o smtpd_tls_wrappermode=yes
          -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
          ...
          587 inet n ... smtpd
          -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
          ...

          --
          Viktor.
        • Robert Schetterer
          ... i thought that way too, and did it that way before reading this post, so i am waiting now for backreport from the user Best Regards MfG Robert Schetterer
          Message 4 of 5 , Sep 7, 2013
          • 0 Attachment
            Am 07.09.2013 16:43, schrieb Viktor Dukhovni:
            > On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
            >
            >> # openssl dhparam -out dh2048.pem 2048
            >> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
            >> ...
            >>
            >> I had some report from one customer with netscape 7 ( very old mail
            >> client ) that he cant connect anymore via port 465 by ssl failures
            >> which i can see in the logs too
            >>
            >> does this sound plausible?
            >
            > Definitely. Ancient software may not be able to handle 2048-bit EDH.
            > Fortunately, as Wietse points out, there is a simple work-around,
            > deploy a different dhparam file on ports 465 and 587.
            >
            > # openssl dhparam -out dh1024.pem 1024
            > # postconf -e 'submission_tls_dh1024_param_file = ${config_directory}/dh1024.pem'
            >
            > Then in master.cf:
            >
            > 465 inet n ... smtpd
            > -o smtpd_tls_wrappermode=yes
            > -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
            > ...
            > 587 inet n ... smtpd
            > -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
            > ...
            >

            i thought that way too,

            and did it that way before reading this post, so i am waiting now for
            backreport from the user



            Best Regards
            MfG Robert Schetterer

            --
            [*] sys4 AG

            http://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Florian Kirstein
          • Robert Schetterer
            ... so as awaited , it was reported everything is working again , thx for help ... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89)
            Message 5 of 5 , Sep 7, 2013
            • 0 Attachment
              Am 07.09.2013 17:43, schrieb Robert Schetterer:
              > Am 07.09.2013 16:43, schrieb Viktor Dukhovni:
              >> On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
              >>
              >>> # openssl dhparam -out dh2048.pem 2048
              >>> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
              >>> ...
              >>>
              >>> I had some report from one customer with netscape 7 ( very old mail
              >>> client ) that he cant connect anymore via port 465 by ssl failures
              >>> which i can see in the logs too
              >>>
              >>> does this sound plausible?
              >>
              >> Definitely. Ancient software may not be able to handle 2048-bit EDH.
              >> Fortunately, as Wietse points out, there is a simple work-around,
              >> deploy a different dhparam file on ports 465 and 587.
              >>
              >> # openssl dhparam -out dh1024.pem 1024
              >> # postconf -e 'submission_tls_dh1024_param_file = ${config_directory}/dh1024.pem'
              >>
              >> Then in master.cf:
              >>
              >> 465 inet n ... smtpd
              >> -o smtpd_tls_wrappermode=yes
              >> -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
              >> ...
              >> 587 inet n ... smtpd
              >> -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
              >> ...
              >>
              >
              > i thought that way too,
              >
              > and did it that way before reading this post, so i am waiting now for
              > backreport from the user

              so as awaited , it was reported everything is working again , thx for help

              >
              >
              >
              > Best Regards
              > MfG Robert Schetterer
              >



              Best Regards
              MfG Robert Schetterer

              --
              [*] sys4 AG

              http://sys4.de, +49 (89) 30 90 46 64
              Franziskanerstraße 15, 81669 München

              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
              Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
              Aufsichtsratsvorsitzender: Florian Kirstein
            Your message has been successfully submitted and would be delivered to recipients shortly.