AW: Postfix TLS
Markus Heinze
max at freecards.de
Mo Mai 15 10:05:47 CEST 2017
Moin moin,
Ja für www,smtp,imap,pop gilt dies Zertifikat und laut liveconfig ist
auch alles gut
-->
<<< 220 mail.<domainname>.tld ESMTP
>>> EHLO sslcheck.liveconfig.com
<<< 250-mail.<domainname>.tld
<<< 250-PIPELINING
<<< 250-SIZE 52428800
<<< 250-ETRN
<<< 250-STARTTLS
<<< 250-AUTH PLAIN
<<< 250-AUTH=PLAIN
<<< 250-ENHANCEDSTATUSCODES
<<< 250-8BITMIME
<<< 250-DSN
<<< 250 SMTPUTF8
>>> STARTTLS
<<< 220 2.0.0 Ready to start TLS
<<< 220 mail.<domainname>.tld ESMTP
>>> EHLO sslcheck.liveconfig.com
<<< 250-mail.<domainname>.tld
<<< 250-PIPELINING
<<< 250-SIZE 52428800
<<< 250-ETRN
<<< 250-STARTTLS
<<< 250-AUTH PLAIN
<<< 250-AUTH=PLAIN
<<< 250-ENHANCEDSTATUSCODES
<<< 250-8BITMIME
<<< 250-DSN
<<< 250 SMTPUTF8
>>> STARTTLS
<<< 220 2.0.0 Ready to start TLS
<<< +OK Welcome to ....!
>>> CAPA
<<< +OK
<<< CAPA
<<< TOP
<<< UIDL
<<< RESP-CODES
<<< PIPELINING
<<< AUTH-RESP-CODE
<<< STLS
<<< USER
<<< SASL PLAIN
<<< .
>>> STLS
<<< +OK Begin TLS negotiation now.
<<< +OK Welcome to ....!
>>> CAPA
<<< +OK
<<< CAPA
<<< TOP
<<< UIDL
<<< RESP-CODES
<<< PIPELINING
<<< AUTH-RESP-CODE
<<< STLS
<<< USER
<<< SASL PLAIN
<<< .
>>> STLS
<<< +OK Begin TLS negotiation now.
<<< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE STARTTLS AUTH=PLAIN] Welcome ....!
>>> a001 CAPABILITY
<<< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS AUTH=PLAIN
<<< a001 OK Pre-login capabilities listed, post-login capabilities have
more.
>>> a002 STARTTLS
<<< a002 OK Begin TLS negotiation now.
<<< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE STARTTLS AUTH=PLAIN] Welcome to ....!
>>> a001 CAPABILITY
<<< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS AUTH=PLAIN
<<< a001 OK Pre-login capabilities listed, post-login capabilities have
more.
>>> a002 STARTTLS
<<< a002 OK Begin TLS negotiation now.
Protocol: TLSv1.2
OCSP Stapling: YES
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt
Authority X3
Produced At: May 12 13:05:00 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03AD311E209CBA2942BFD0A549D867C26C20
Cert Status: good
This Update: May 12 13:00:00 2017 GMT
Next Update: May 19 13:00:00 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
51:78:2a:1f:64:38:8f:51:39:2e:d4:86:96:76:b6:08:62:ea:
9f:df:7e:08:94:a2:34:9b:66:02:b8:4a:aa:de:1e:3b:43:78:
b3:09:d0:2f:b6:37:39:1e:a4:22:05:ee:68:8d:37:47:ad:03:
c9:40:ab:26:24:8d:63:59:b1:15:e9:76:31:23:c7:b0:82:28:
6a:95:eb:e3:81:4b:39:db:f8:8c:14:4a:cb:58:0a:68:d1:e3:
f1:8e:cd:d9:c4:6d:13:fa:2b:dd:c2:1f:0c:a5:08:e7:8f:14:
68:c0:a7:d0:d8:ec:65:d4:fd:6d:bb:72:e0:7a:51:78:da:3d:
e0:28:a5:84:62:c4:c2:84:e4:11:1d:df:98:c0:22:02:ff:8b:
55:c9:0c:77:7c:c7:1c:e2:a8:84:94:a1:07:1b:6e:9f:58:70:
bd:87:45:2a:06:7c:40:2d:db:53:2b:bd:59:f9:4e:00:31:a1:
68:7c:5f:11:1b:74:35:f0:51:64:a0:eb:59:7d:f2:c6:ab:d7:
c1:72:84:f3:fe:57:fb:a3:78:1f:85:bd:5a:28:c6:3d:87:ef:
61:0b:fe:c8:47:4e:cb:bc:3b:31:47:43:13:de:0d:ef:43:4b:
fe:27:81:0e:7f:9b:2c:19:ec:89:ce:77:2b:bf:5e:f3:ed:69:
b3:42:87:cb
DHE temporary key type: DH (4096 bits)
DH parameters: 4096 bits
DH parameters (MD5): dafe80bed54a130961a7dccd3fdb309a
<--
Mit folgenden Einstellungen im Thunderbird funktioniert es
security.OCSP.GET.enabled: true
security.OCSP.enabled: 1
security.OCSP.require: true
security.ssl.enable_ocsp_must_staple: false
security.ssl.enable_ocsp_stapling: true
aber so kompliziert kann es doch nicht sein oder? das muss doch auch out
of the box gehen
lg
M.Heinze
Am 2017-05-15 9:35, schrieb Daniel:
> Nutzt dovecot denn auch dieses Cert und nicht nen anderes?
>
> Verwende sonst gern https://de.ssl-tools.net/mailservers und
> https://www.liveconfig.com/de/sslcheck zum Testen von Cert, DANE und
> ggf. Erreichbarkeit im Einzelfall.
>
> Gruß Daniel
Mehr Informationen über die Mailingliste Postfixbuch-users