postfix smtpd per server ssl setting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

postfix smtpd per server ssl setting

Aleksandar Lazic (pf-u-de)
Hallo.

ich finde gerade die Lösung nicht im startpage.com.

Es gibt 3 Server von einem Kunden die es einfach nicht schaffen mit
meinem Server eine SSL Verbindung aufzubauen.
Ich habe bereits wieder SSLv3 aktiviert und trotzdem bekomme ich immer
diesen Fehler.

postfix/smtpd[27053]: SSL_accept error from <SERVER>: -1

Nun wollte ich diese Maschinen explizit aus dem SSL rausnehmen so ala
"smtpd_tls_security_level = none" oder STARTTLS ganz deaktivieren für
diese Server.

Geht das im

postconf mail_version
mail_version = 2.11.0

LG
Aleks

### postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = smtp-amavis:127.0.0.1:10024
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 51200000
mydestination = localhost.none.at, localhost
myhostname = smtp.none.at
myorigin = /etc/mailname
policy-spf_time_limit = 3600s
postscreen_access_list =
permit_mynetworks,cidr:/etc/postfix/postscreen_access.cidr,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
b.barracudacentral.org*1 ix.dnsbl.manitu.net*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relayhost =
smtp_bind_address = 5.9.105.120
smtp_dns_support_level = dnssec
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aNULL MD5 SRP PSK aKRB5 aDSS aECDH aDH SEED
IDEA RC2 RC5
smtp_tls_loglevel = 1
smtp_tls_mandatory_exclude_ciphers = aNULL MD5
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_proxy_timeout = 240s
smtpd_relay_restrictions = check_helo_access
hash:/etc/postfix/helo_checks, check_client_access
hash:/etc/postfix/client_checks, permit_sasl_authenticated,
reject_invalid_hostname, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unknown_client, reject_unknown_hostname, permit_mynetworks,
reject_unauth_destination, check_policy_service unix:private/policy-spf,
check_recipient_access pcre:/etc/postfix/smtpd_recipient_checks.pcre,
check_recipient_access hash:/etc/postfix/recipient_checks,
check_sender_access hash:/etc/postfix/sender_checks, check_sender_access
pcre:/etc/postfix/sender_checks.pcre, check_client_access
pcre:/etc/postfix/client_checks.pcre, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/smtp.none.at.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/ssl/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh_512.pem
smtpd_tls_eccert_file = /etc/ssl/smtp.none.at.ecc.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL MD5 SRP PSK aKRB5 aDSS aECDH aDH SEED
IDEA RC2 RC5
smtpd_tls_key_file = /etc/ssl/smtp.none.at.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_mandatory_protocols = TLSv1 SSLv3
smtpd_tls_protocols = !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_export_cipherlist = aNULL:-aNULL:ALL:-RC4:@STRENGTH
tls_high_cipherlist =
ECDHE-ECDSA-AES256-SHA:EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!MEDIUM:!RC4:!aNULL:!eNULL:!EXP:!LOW:!MD5:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:-RC4:@STRENGTH
tls_medium_cipherlist =
ECDHE-ECDSA-AES256-SHA:EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!RC4:!aNULL:!eNULL:!EXP:!LOW:!MD5:@STRENGTH
tls_preempt_cipherlist = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
###