Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Note to server admins: you're breaking DKIM

... and the TLS ciphers are weird:

Apr 16 10:21:39 random postfix/smtp[2507]: SSL_connect error to kirakira.tlug.jp[202.224.46.216]:25: -1
Apr 16 10:21:39 random postfix/smtp[2507]: warning: TLS library problem: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/crypto/openssl/ssl/s23_clnt.c:802:
Apr 16 10:21:39 random postfix/smtp[2507]: 1AA41DAD36: Cannot start TLS: handshake failure

If you're using postfix, try this (and adjust cert paths for Linux, this example
is for NetBSD):

	smtpd_use_tls = yes
	smtpd_tls_auth_only = yes
	smtpd_tls_key_file = /etc/postfix/privkey.pem
	smtpd_tls_cert_file = /etc/postfix/fullchain.pem
	smtpd_tls_CAfile = /etc/postfix/fullchain.pem
	smtpd_tls_received_header = yes
	smtpd_tls_session_cache_timeout = 3600s
	smtpd_tls_loglevel = 1
	smtpd_tls_ask_ccert = yes

	smtpd_tls_security_level = may
	smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
	smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
	smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
	smtpd_tls_mandatory_ciphers = medium
	tls_medium_cipherlist = AES128+EECDH:AES128+EDH
	smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
	smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem

	smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
	smtp_use_tls = yes
	smtp_tls_security_level = may
	smtp_enforce_tls = no
	smtp_tls_loglevel = 1
	smtp_tls_key_file = /etc/postfix/privkey.pem
	smtp_tls_cert_file = /etc/postfix/fullchain.pem

-- 

-- Chris
   GPG key fingerprint A582 1BB2 6E72 49BF D4BA  25B4 E40C 37F9 199C 6964

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links