AW: Postfix TLS

Markus Heinze max at freecards.de
Mo Mai 15 10:05:47 CEST 2017


Moin moin,

Ja für www,smtp,imap,pop gilt dies Zertifikat und laut liveconfig ist 
auch alles gut

-->

<<< 220 mail.<domainname>.tld ESMTP
>>> EHLO sslcheck.liveconfig.com
<<< 250-mail.<domainname>.tld
<<< 250-PIPELINING
<<< 250-SIZE 52428800
<<< 250-ETRN
<<< 250-STARTTLS
<<< 250-AUTH PLAIN
<<< 250-AUTH=PLAIN
<<< 250-ENHANCEDSTATUSCODES
<<< 250-8BITMIME
<<< 250-DSN
<<< 250 SMTPUTF8
>>> STARTTLS
<<< 220 2.0.0 Ready to start TLS
<<< 220 mail.<domainname>.tld ESMTP
>>> EHLO sslcheck.liveconfig.com
<<< 250-mail.<domainname>.tld
<<< 250-PIPELINING
<<< 250-SIZE 52428800
<<< 250-ETRN
<<< 250-STARTTLS
<<< 250-AUTH PLAIN
<<< 250-AUTH=PLAIN
<<< 250-ENHANCEDSTATUSCODES
<<< 250-8BITMIME
<<< 250-DSN
<<< 250 SMTPUTF8
>>> STARTTLS
<<< 220 2.0.0 Ready to start TLS


<<< +OK Welcome to ....!
>>> CAPA
<<< +OK
<<< CAPA
<<< TOP
<<< UIDL
<<< RESP-CODES
<<< PIPELINING
<<< AUTH-RESP-CODE
<<< STLS
<<< USER
<<< SASL PLAIN
<<< .
>>> STLS
<<< +OK Begin TLS negotiation now.
<<< +OK Welcome to ....!
>>> CAPA
<<< +OK
<<< CAPA
<<< TOP
<<< UIDL
<<< RESP-CODES
<<< PIPELINING
<<< AUTH-RESP-CODE
<<< STLS
<<< USER
<<< SASL PLAIN
<<< .
>>> STLS
<<< +OK Begin TLS negotiation now.

<<< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
ENABLE IDLE STARTTLS AUTH=PLAIN] Welcome ....!
>>> a001 CAPABILITY
<<< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS AUTH=PLAIN
<<< a001 OK Pre-login capabilities listed, post-login capabilities have 
more.
>>> a002 STARTTLS
<<< a002 OK Begin TLS negotiation now.
<<< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
ENABLE IDLE STARTTLS AUTH=PLAIN] Welcome to ....!
>>> a001 CAPABILITY
<<< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS AUTH=PLAIN
<<< a001 OK Pre-login capabilities listed, post-login capabilities have 
more.
>>> a002 STARTTLS
<<< a002 OK Begin TLS negotiation now.

Protocol:	TLSv1.2
OCSP Stapling:	YES

OCSP Response Data:
     OCSP Response Status: successful (0x0)
     Response Type: Basic OCSP Response
     Version: 1 (0x0)
     Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt 
Authority X3
     Produced At: May 12 13:05:00 2017 GMT
     Responses:
     Certificate ID:
       Hash Algorithm: sha1
       Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
       Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
       Serial Number: 03AD311E209CBA2942BFD0A549D867C26C20
     Cert Status: good
     This Update: May 12 13:00:00 2017 GMT
     Next Update: May 19 13:00:00 2017 GMT

     Signature Algorithm: sha256WithRSAEncryption
          51:78:2a:1f:64:38:8f:51:39:2e:d4:86:96:76:b6:08:62:ea:
          9f:df:7e:08:94:a2:34:9b:66:02:b8:4a:aa:de:1e:3b:43:78:
          b3:09:d0:2f:b6:37:39:1e:a4:22:05:ee:68:8d:37:47:ad:03:
          c9:40:ab:26:24:8d:63:59:b1:15:e9:76:31:23:c7:b0:82:28:
          6a:95:eb:e3:81:4b:39:db:f8:8c:14:4a:cb:58:0a:68:d1:e3:
          f1:8e:cd:d9:c4:6d:13:fa:2b:dd:c2:1f:0c:a5:08:e7:8f:14:
          68:c0:a7:d0:d8:ec:65:d4:fd:6d:bb:72:e0:7a:51:78:da:3d:
          e0:28:a5:84:62:c4:c2:84:e4:11:1d:df:98:c0:22:02:ff:8b:
          55:c9:0c:77:7c:c7:1c:e2:a8:84:94:a1:07:1b:6e:9f:58:70:
          bd:87:45:2a:06:7c:40:2d:db:53:2b:bd:59:f9:4e:00:31:a1:
          68:7c:5f:11:1b:74:35:f0:51:64:a0:eb:59:7d:f2:c6:ab:d7:
          c1:72:84:f3:fe:57:fb:a3:78:1f:85:bd:5a:28:c6:3d:87:ef:
          61:0b:fe:c8:47:4e:cb:bc:3b:31:47:43:13:de:0d:ef:43:4b:
          fe:27:81:0e:7f:9b:2c:19:ec:89:ce:77:2b:bf:5e:f3:ed:69:
          b3:42:87:cb

DHE temporary key type:	DH (4096 bits)
DH parameters:	4096 bits
DH parameters (MD5): dafe80bed54a130961a7dccd3fdb309a

<--

Mit folgenden Einstellungen im Thunderbird funktioniert es

security.OCSP.GET.enabled: true
security.OCSP.enabled: 1
security.OCSP.require: true
security.ssl.enable_ocsp_must_staple: false
security.ssl.enable_ocsp_stapling: true

aber so kompliziert kann es doch nicht sein oder? das muss doch auch out 
of the box gehen

lg
M.Heinze

Am 2017-05-15 9:35, schrieb Daniel:
> Nutzt dovecot denn auch dieses Cert und nicht nen anderes?
> 
> Verwende sonst gern https://de.ssl-tools.net/mailservers und
> https://www.liveconfig.com/de/sslcheck zum Testen von Cert, DANE und
> ggf. Erreichbarkeit im Einzelfall.
> 
> Gruß Daniel



Mehr Informationen über die Mailingliste Postfixbuch-users