[Ach] Feedback to applied-crypto-hardening.pdf - Mail Servers - Dovecot+Postfix

Sebastian sebix at sebix.at
Fri Dec 22 14:06:55 CET 2017


Please consider writing one email with feedback on multiple sections,

On 12/22/2017 01:43 PM, Torge Riedel wrote:
> The guide is working for me,
Will be added too.
> I am using the following settings with success from the Thomas' guide:
> smtp_tls_security_level = dane
> smtp_dns_support_level = dnssec
Yes, we are missing DNSSEC and DANE in the guide currently. See for
example: https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/69

On 12/22/2017 01:50 PM, Torge Riedel wrote:
> The guide is working for me.
> But I'm not sure whether it should be
> ssl=1
The docs do not mention it at all:
Is it necessary?
Here is an indicator it might be necessary:
> And - this is maybe out-of-scope - if you want to use Let's Encrypt
> certs for MySQL, do the following:
The usage of letsencrypt, and other approaches, is out of scope, yes.
The guide is CA-agnostic.


python programming - mail server - photo - video - https://sebix.at
cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 854 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20171222/b25c3284/attachment.sig>

More information about the Ach mailing list