On Thu, Jul 11, 2013 at 07:28:19PM -0300, Hugo Osvaldo Barrera wrote:
> >
> > * TLS perfect forward secrecy with ecdhe
>
> I'm slightly ignorant on this topic, so let me ask to be sure.
> Do we need to *do* anything for PFS to work, (like use a specific type
> of key?), or should it work out-of-the-box with any TLS key type?
>
You don't need to do anything on the OpenSMTPD side except build and run
the code on a machine that has a recent OpenSSL with support for ECDH.
You can check that it works by doing:
$ openssl s_client -host yourmailhost -port 25 -starttls smtp
and searching for the line:
"New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384"
^^^^^
Now, all you need is a client that will negotiate that.
To verify, simply send yourself a mail and check the headers:
Received: from desktop.poolp.org (89-156-140-4.rev.numericable.fr
[89.156.140.4]);
by poolp.org (OpenSMTPD) with ESMTPSA id ebf56aec;
vvvvv
TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO;
^^^^^
for <[email protected]>;
Fri, 12 Jul 2013 08:37:50 +0200 (CEST)
Message-ID: <[email protected]>
Date: Fri, 12 Jul 2013 08:37:50 +0200
From: Gilles Chehade <[email protected]>
User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:17.0) Gecko/20130628
Thunderbird/17.0.7
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this email because you are subscribed to mailing list:
[email protected]
To unsubscribe, send mail with subject:
[[email protected]] unregister
