Loading ...
Sorry, an error occurred while loading the content.

Re: Exim, DH, GnuTLS & interop fix with older mail clients

Expand Messages
  • Robert Schetterer
    ... i thought that way too, and did it that way before reading this post, so i am waiting now for backreport from the user Best Regards MfG Robert Schetterer
    Message 1 of 5 , Sep 7, 2013
    • 0 Attachment
      Am 07.09.2013 16:43, schrieb Viktor Dukhovni:
      > On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
      >
      >> # openssl dhparam -out dh2048.pem 2048
      >> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
      >> ...
      >>
      >> I had some report from one customer with netscape 7 ( very old mail
      >> client ) that he cant connect anymore via port 465 by ssl failures
      >> which i can see in the logs too
      >>
      >> does this sound plausible?
      >
      > Definitely. Ancient software may not be able to handle 2048-bit EDH.
      > Fortunately, as Wietse points out, there is a simple work-around,
      > deploy a different dhparam file on ports 465 and 587.
      >
      > # openssl dhparam -out dh1024.pem 1024
      > # postconf -e 'submission_tls_dh1024_param_file = ${config_directory}/dh1024.pem'
      >
      > Then in master.cf:
      >
      > 465 inet n ... smtpd
      > -o smtpd_tls_wrappermode=yes
      > -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
      > ...
      > 587 inet n ... smtpd
      > -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
      > ...
      >

      i thought that way too,

      and did it that way before reading this post, so i am waiting now for
      backreport from the user



      Best Regards
      MfG Robert Schetterer

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Florian Kirstein
    • Robert Schetterer
      ... so as awaited , it was reported everything is working again , thx for help ... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89)
      Message 2 of 5 , Sep 7, 2013
      • 0 Attachment
        Am 07.09.2013 17:43, schrieb Robert Schetterer:
        > Am 07.09.2013 16:43, schrieb Viktor Dukhovni:
        >> On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
        >>
        >>> # openssl dhparam -out dh2048.pem 2048
        >>> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
        >>> ...
        >>>
        >>> I had some report from one customer with netscape 7 ( very old mail
        >>> client ) that he cant connect anymore via port 465 by ssl failures
        >>> which i can see in the logs too
        >>>
        >>> does this sound plausible?
        >>
        >> Definitely. Ancient software may not be able to handle 2048-bit EDH.
        >> Fortunately, as Wietse points out, there is a simple work-around,
        >> deploy a different dhparam file on ports 465 and 587.
        >>
        >> # openssl dhparam -out dh1024.pem 1024
        >> # postconf -e 'submission_tls_dh1024_param_file = ${config_directory}/dh1024.pem'
        >>
        >> Then in master.cf:
        >>
        >> 465 inet n ... smtpd
        >> -o smtpd_tls_wrappermode=yes
        >> -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
        >> ...
        >> 587 inet n ... smtpd
        >> -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
        >> ...
        >>
        >
        > i thought that way too,
        >
        > and did it that way before reading this post, so i am waiting now for
        > backreport from the user

        so as awaited , it was reported everything is working again , thx for help

        >
        >
        >
        > Best Regards
        > MfG Robert Schetterer
        >



        Best Regards
        MfG Robert Schetterer

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Florian Kirstein
      Your message has been successfully submitted and would be delivered to recipients shortly.