Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:mail_c7:postfix3_5 [14.02.2019 20:59. ] – [verpflichtende Verschlüsselung zu ausgewählten Empfängern/Servern] django
+++ centos:mail_c7:postfix3_5 [18.11.2024 19:13. ] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 537: / Zeile 537: @@
 <file perl /usr/local/bin/ca-list>#!/usr/bin/perl
 # Liste eines Zertifikatsbundles ausgeben.
-# Django <django@mailserver.guru> (c) 2019
+# Django <django@nausch.org> (c) 2019
 #
 $file = shift;
@@ Zeile 565: / Zeile 565: @@
   subject= /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
-==== CA Vetrauensmodell - CA Trust ====
+==== CA Vertrauensmodell - CA Trust ====
 {{page>centos:ca-trust&nofooter&showheader}}
@@ Zeile 1897: / Zeile 1897: @@
 <file bash edh_keygen>#!/bin/bash
 # Script zum Erstellen der Diffie Hellman Schlüssel
-# Django <django@mailserver.guru> (c) 2019
+# Django <django@nausch.org> (c) 2019
 cd /etc/pki/tls/tmp
 umask 022
@@ Zeile 2946: / Zeile 2946: @@
 </WRAP>
-<WRAP center round todo 30%>
-FIXME FIXME FIXME
-  * //**... in Überarbeitung!**//
-FIXME FIXME FIXME
-</WRAP>
@@ Zeile 2973: / Zeile 2963: @@
 ...
-# Django : 2015-02-04 - DNS-Support des Postfix SMTP-Client
+# Django : 2019-02-11 - DNS-Support des Postfix SMTP-Client
 #          Wird der Parameter smtp_dns_support_level auf seinem Defaultwert
 #          belassen, wird der SMTP-Client abhängig vom Parameter
@@ Zeile 2998: / Zeile 2988: @@
 smtp_dns_support_level = dnssec
-# Django : 2015-02-04 - Opportunistische DANE TLS-Verschlüsselung für den
+# Django : 2019-02-11 - Opportunistische DANE TLS-Verschlüsselung für den
 #          SMTP-Client für den ausgehenden Verkehr aktiviert; Bei diesem
-#          Sicherhietslevel wird versucht die TLS Sicherheitsvorgaben via
+#          Sicherheitslevel wird versucht die TLS Sicherheitsvorgaben via
 #          DNSsec zu erfragen.
 # default: smtp_tls_security_level =
@@ Zeile 3015: / Zeile 3005: @@
    # vim /etc/postfix/smtp_tls_policy_maps
-<file bash /etc/postfix/smtp_tls_policy_maps># Django : 2015-10-07 - Empfängerbasierte verpflichtende TLS-Verschlüsselung
+<file bash /etc/postfix/smtp_tls_policy_maps># Django : 2019-02-11 - Empfängerbasierte verpflichtende TLS-Verschlüsselung
 #          Tabelle für die zielwegorientierte individuelle Vorgabe einer
 #          verpflichtenden TLS-Transportverschlüsselung einzelner Zieldomains.
@@ Zeile 3031: / Zeile 3021: @@
 </file>
-Vor der Aktivierung einer Konfigurationsänderung musss noch die zugehörige db_Datei der lookup- Tabelle **smtp_tls_policy_maps**.
+Vor der Aktivierung einer Konfigurationsänderung muss noch die zugehörige db_Datei der lookup- Tabelle **smtp_tls_policy_maps**.
    # postmap /etc/postfix/smtp_tls_policy_maps
@@ Zeile 3037: / Zeile 3027: @@
    # systemctl restart postfix.service
-Wir nun eine Nachricht an den Zielserver gesendet, für die wir einen **smtp_tls_security_level = //dane-only//** definiert haben, wird der Zertifikats-Fingerprint via DNSSEC-Anfrage geholt und mit dem Wert verglichen, den der SMTP-Client vom empfangenen Server-Zertifikat ermitelt hat. Sind beide Fingerprints gleich, wird unser MTA mit der Üertragung der Nachricht(en) fortfahren. Im Maillog unseres Servers wird dies entsprehend positiv vermerkt.
+Wir nun eine Nachricht an den Zielserver gesendet, für die wir einen **smtp_tls_security_level = //dane-only//** definiert haben, wird der Zertifikats-Fingerprint via DNSSEC-Anfrage geholt und mit dem Wert verglichen, den der SMTP-Client vom empfangenen Server-Zertifikat ermittelt hat. Sind beide Fingerprints gleich, wird unser MTA mit der Übertragung der Nachricht(en) fortfahren. Im Maillog unseres Servers wird dies entsprehend positiv vermerkt.
-<code>Oct 13 09:53:36 vml000087 postfix/smtp[18312]: connect to mail.sys4.de[194.126.158.132]:25
+<code>Feb 14 23:07:36 vml000087 postfix/smtp[18312]: connect to mail.sys4.de[194.126.158.132]:25
-Oct 13 09:53:36 vml000087 postfix/smtp[18312]: Verified TLS connection established to mail.sys4.de[194.126.158.132]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
+Feb 14 23:07:36 vml000087 postfix/smtp[18312]: Verified TLS connection established to mail.sys4.de[194.126.158.132]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Oct 13 09:53:37 vml000087 postfix/smtp[18312]: 17D5FC00097: to=<p@sys4.de>, relay=mail.sys4.de[194.126.158.132]:25, delay=1.8, delays=0.05/0.02/0.71/1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3nZpz5107tz1G7x)
+Feb 14 23:07:37 vml000087 postfix/smtp[18312]: 17D5FC00097: to=<p@sys4.de>, relay=mail.sys4.de[194.126.158.132]:25, delay=1.8, delays=0.05/0.02/0.71/1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3nZpz5107tz1G7x)
-Oct 13 09:53:37 vml000087 postfix/qmgr[18157]: 17D5FC00097: removed
+Feb 14 23:07:37 vml000087 postfix/qmgr[18157]: 17D5FC00097: removed
 </code>
 Unterscheiden sich aber beide Fingerprints wird die Kommunikation mit dem Zielsystem abgebrochen und die Nachricht in die **deffered**-Queue gestellt und ggf. später wieder versucht die eMail zuzustellen.
-<code>Oct 13 12:32:22 mailslut1 postfix/smtp[27804]: Trusted TLS connection established to mx01.nausch.org[217.91.103.190]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
+<code>Feb 14 23:08:22 mailslut1 postfix/smtp[27804]: Trusted TLS connection established to mx01.nausch.org[217.91.103.190]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Oct 13 12:32:22 mailslut1 postfix/smtp[27804]: 1945C180008B: to=<django@nausch.org>, relay=mx01.nausch.org[217.91.103.190]:25, delay=56, delays=55/0.04/1.2/0, dsn=4.7.5, status=deferred (Server certificate not verified)</code>
+Feb 14 23:08:22 mailslut1 postfix/smtp[27804]: 1945C180008B: to=<django@nausch.org>, relay=mx01.nausch.org[217.91.103.190]:25, delay=56, delays=55/0.04/1.2/0, dsn=4.7.5, status=deferred (Server certificate not verified)</code>
 ==== Perfect Forward Secrecy ====
 Zur Aktivierung von **[[http://www.postfix.org/FORWARD_SECRECY_README.html|PFS]]**((**P**erfect **F**orward **S**ecrecy)) sind nachfolgende Optionen von entscheidender Bedeutung.
-  - **Ephemeral-Diffie-Hellmann Schlüssel**: Unsere bereits generierten //[[centos:mail_c7:mta_5?&#enhanced_diffie_hellman_keys|Diffie Hellmann Schlüssel]]// binden wir nun in unserer Postfix-Konfigurationsdatei ein. \\ \\ <code bash># Django : 2014-10-19 -  EDH Server support
+  - **Ephemeral-Diffie-Hellmann Schlüssel**: Unsere bereits generierten //[[#enhanced_diffie_hellman_keys|Diffie Hellmann Schlüssel]]// binden wir nun in unserer Postfix-Konfigurationsdatei ein. \\ \\ <code bash># Django : 2019-02-11 -  EDH Server support
 #          http://www.postfix.org/FORWARD_SECRECY_README.html
 #          Definition des 512 bit Schlüssels (export ciphers) für die obsoleten
@@ Zeile 3062: / Zeile 3051: @@
 smtpd_tls_dh1024_param_file = /etc/pki/postfix/private/dh_4096.pem
 smtpd_tls_dh512_param_file = /etc/pki/postfix/private/dh_512.pem</code>
-  - **"Ephemeral Elliptic Curve Diffie-Hellman" Schlüsselaustausch**: Definition des Grads der Sicherheit beim EECDH Schlüsselaustausch \\ \\ <code bash># Django : 2014-10-19 - Grad der Sicherheit beim EECDH Schlüsselaustausch
+  - **"Ephemeral Elliptic Curve Diffie-Hellman" Schlüsselaustausch**: Definition des Grads der Sicherheit beim EECDH Schlüsselaustausch \\ \\ <code bash># Django : 2019-02-11 - Grad der Sicherheit beim EECDH Schlüsselaustausch
 #          Ephemeral Elliptic-Curve Diffie-Hellman (EECDH)
 #          http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
 # default: smtpd_tls_eecdh_grade = strong
 smtpd_tls_eecdh_grade = ultra</code>
-  - **Präferierter standardisierter kryptographischer Algorithmus**: Statt der vom Client gewünschte Cipher, wird die Default Cipher Liste des Servers verwendet. \\ \\ <code bash># Django : 2014-10-19 - Default Cipher Liste des Servers verwenden, statt der
+  - **Präferierter standardisierter kryptographischer Algorithmus**: Statt der vom Client gewünschte Cipher, wird die Default Cipher Liste des Servers verwendet. \\ \\ <code bash># Django : 2019-02-11 - Default Cipher Liste des Servers verwenden, statt der
 #          vom Client genannten Wunsch-Ciphers
 #          http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
@@ Zeile 3085: / Zeile 3074: @@
   * Client Certificate Issuer CommonName
-<code bash># Django : 2014-10-19 - Headerzeile in der eMail einfügen mit Informationen
+<code bash># Django : 2019-02-11 - Headerzeile in der eMail einfügen mit Informationen
 #          zur verwendeten Verschlüsselung
 #          http://www.postfix.org/postconf.5.html#smtpd_tls_received_header
 # default: smtpd_tls_received_header = no
 smtpd_tls_received_header = yes</code>
 === TLS-Logging beim Mailempfang ===
@@ Zeile 3102: / Zeile 3093: @@
 Im Normalbetrieb werden "nur" die Werte **0** und **1** gesetzt. Loglevel **2** und höher benötigt man nur zur Problembehandlung. Von der Benutzung des Loglefel **4** wird dringend abgeraten!
 </WRAP>
-<code bash># Django : 2014-10-19 - Logging der TLS-Infomationen zu den Verbindungen im
+<code bash># Django : 2019-02-11 - Logging der TLS-Infomationen zu den Verbindungen im
 #          Maillog des SMTP-Daemons für den ankommenden SMTP-Verkehr.
 #          http://www.postfix.org/postconf.5.html#smtpd_tls_loglevel
@@ Zeile 3119: / Zeile 3110: @@
 Im Normalbetrieb werden "nur" die Werte **0** und **1** gesetzt. Loglevel **2** und höher benötigt man nur zur Problembehandlung. Von der Benutzung des Loglefel **4** wird dringend abgeraten!
 </WRAP>
-<code bash># Django : 2014-10-19 - Logging der TLS-Infomationen zu den Verbindungen im
+<code bash># Django : 2019-02-11 - Logging der TLS-Infomationen zu den Verbindungen im
 #          Maillog des SMTP-Clients für den ausgehenden SMTP-Verkehr.
 #          http://www.postfix.org/postconf.5.html#smtp_tls_loglevel
 # default: smtp_tls_loglevel = 0
 smtp_tls_loglevel = 1</code>
@@ Zeile 3131: / Zeile 3124: @@
 ===== Postfix Verbindungstests =====
 ==== erster Test ====
 Als erstes kontrollieren wir, ob unser MX nun **//STARTTLS//** als ESMTP-Komando anbietet:
@@ Zeile 3151: / Zeile 3145: @@
 </code>
-Unser Server bietet also nun TLS an; wir sehen dies an der Rückmeldung **250-STARTTLS**.
+Unser Server bietet also nun TLS an - wir sehen dies an der Rückmeldung **250-STARTTLS**.
 ==== zweiter Verbindungstest ====
 Als nächstes verbinden wir uns unter Einbeziehung von OpenSSL mit unserem Mailserver via telnet auf Port 25:
-   $ openssl s_client -starttls smtp -connect mx01.nausch.org:25
+   $ openssl s_client -starttls smtp -connect mx1.nausch.org:25
 <code>CONNECTED(00000003)
-depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
+depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
 verify return:1
-depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
+depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
 verify return:1
-depth=0 serialNumber = 3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP, OU = GT49447951, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.nausch.org
+depth=0 C = DE, OU = Domain Control Validated, CN = mx1.nausch.org
 verify return:1
 ---
 Certificate chain
-s:/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org
+s:/C=DE/OU=Domain Control Validated/CN=mx1.nausch.org
-   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
+   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
-s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
+s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
-   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
-MIIFKjCCBBKgAwIBAgIDEdPpMA0GCSqGSIb3DQEBCwUAMDwxCzAJBgNVBAYTAlVT
+MIIFrjCCBJagAwIBAgIMApNDoSN56juh4oE5MA0GCSqGSIb3DQEBCwUAMEwxCzAJ
-MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
+BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
-HhcNMTQwNDA4MDMyNTAyWhcNMTYwNjAyMDEzODU0WjCBuzEpMCcGA1UEBRMgM1M3
+bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE5MDIxMTExNDcwMVoXDTIxMDIx
-eDJsY2JZaUFjY0taUG9oYTBNU3dQNWhOc3VTVFAxEzARBgNVBAsTCkdUNDk0NDc5
+MTA3NTQ0MFowSTELMAkGA1UEBhMCREUxITAfBgNVBAsTGERvbWFpbiBDb250cm9s
-NTExMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
+IFZhbGlkYXRlZDEXMBUGA1UEAxMObXgxLm5hdXNjaC5vcmcwdjAQBgcqhkjOPQIB
-KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
+BgUrgQQAIgNiAATOPo6B46LEQAvE/YdgZ/0A2kTiECceAMJjfmj1F31sqBYQNJXZ
-U1NMKFIpMRUwEwYDVQQDDAwqLm5hdXNjaC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+Ys1c/xTdggmrjpb+n/6xh5Wo3aU80Qe1fdAb/tjcWomdn/Y39J6E090xVCBoQB7p
-A4IBDwAwggEKAoIBAQDRhxUen7499yElJr2cOIPdg4u/E93rgFw3DhflaV54r8G3
+BeZPKAf5i7g4jGSjggM/MIIDOzAOBgNVHQ8BAf8EBAMCA4gwgYkGCCsGAQUFBwEB
-oA1U+brU7XNpnRVA+QHk1aXTnROwGX46mlxacKOQPE0U9dXMRFrWfnCcOCgUqkjY
+BH0wezBCBggrBgEFBQcwAoY2aHR0cDovL3NlY3VyZTIuYWxwaGFzc2wuY29tL2Nh
-vQdivwKUOJqfJfef0Zun4C7LabfP/Gb5TkFUC7+Hq3jzoZnifleRuK+2MZXX05/E
+Y2VydC9nc2FscGhhc2hhMmcycjEuY3J0MDUGCCsGAQUFBzABhilodHRwOi8vb2Nz
-+T5jKrVsanfh2bN6WKgzwvmPaurpelA1f5ciiaWcuXtTc8Hrshyko30IeyIxAJ2J
+cDIuZ2xvYmFsc2lnbi5jb20vZ3NhbHBoYXNoYTJnMjBXBgNVHSAEUDBOMEIGCisG
-aj3zHKEjuTMNn/fsMOOFO0LG2T68Wc9gFRa0ds1LXFbuwOxi1i/dLRWDFhGZtplp
+AQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
-HOBlYBkwnEawpsHS+nQVEc2d7CFCBWr2MCSQLQQvAgMBAAGjggGzMIIBrzAfBgNV
+b20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMAkGA1UdEwQCMAAwPgYDVR0fBDcwNTAz
-HSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYD
+oDGgL4YtaHR0cDovL2NybDIuYWxwaGFzc2wuY29tL2dzL2dzYWxwaGFzaGEyZzIu
-VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQcMBqCDCoubmF1c2No
+Y3JsMBkGA1UdEQQSMBCCDm14MS5uYXVzY2gub3JnMB0GA1UdJQQWMBQGCCsGAQUF
-Lm9yZ4IKbmF1c2NoLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRz
+BwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU4KkvjEsSjOHjrZtO0+WtQVu4huQwHwYD
-c2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQU
+VR0jBBgwFoAU9c3VPAhQ+WpPOreX2laD5mnSaPcwggF9BgorBgEEAdZ5AgQCBIIB
-HjMj1hUDkcufmSmgDVeMt7sdoAkwDAYDVR0TAQH/BAIwADB4BggrBgEFBQcBAQRs
+bQSCAWkBZwB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABaNxh
-MGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3RydXN0LmNv
+y6QAAAQDAEcwRQIhALLZ7bCbaXKUTPIQyzpXZ+spyVGlAJk8mDsb6Dtwp9mKAiAx
-bTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVzdC5jb20v
+O0walYwTiKADam3DswoeUeW/H5F3Xv2IngbIpQCHcQB2AKS5CZC0GFgUh7sTosxn
-cmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUF
+cAo8NZgE+RvfuON3zQ7IDdwQAAABaNxhy4sAAAQDAEcwRQIgUkR0TQf/mTd0B93v
-BwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqG
+drzZdlAmfn6PujwCd/BK4IpfQ98CIQCgtcxyu/bnjw9i9gE/58GWp1j0+lCNQkCe
-SIb3DQEBCwUAA4IBAQACZLmO7zRHC4zEXyXCHpIgZ/TIo8sdvGzDH2koZgU0ZlCR
+BkkWMbhF8gB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABaNxh
-psebPpulKDr2Q6JYVPsS6z7sqw9SNCmVjeRngIgCpuih7DGUzrc7YzPw4vmGTgND
+y8QAAAQDAEYwRAIgM8oFFMaYS9yeX0tif6YcHj9Nak/bUtHwGx+K0E3mTK0CIBBq
-KTCQ8B3TqjYak3pG3LUUwsSIL1//oSuYKkdClmpNgFgYJegVdXrE3+EjuoLq5wwb
+i9iEl/E79vC02SqxnxE5kT6VQq5nNs7KY/pJb/PLMA0GCSqGSIb3DQEBCwUAA4IB
-xsGzO1KW5olUX7J4IwZbnE5ZRrhF+UIRtj1yPx2fqXOBGuqGdhZ4pTrsY20e6mJJ
+AQAvu5ioSMJpSfUx7krIcoAvQyBh9pfMCDXhu/nkQcVX5opEV2YhM1xDtMgpFyLL
-ZOK0RY0MFy1JN3cWAsL5mR3wZwLeUYXnwSHKqWHE0TjJcy5X6sLZP5IoOt61vu1
+BJKRAuiZhqVkgLx1AON2MdB2s9/9xg6/OMBNpX1uoN+/lELdEz0qLtVBfZp4+HlO
-Zv1GcT4i3a/8uGGAGINouL3WmdqQ5Uj5qyhceli
+BA3fuwtqE5SGRCKUhH+/B5HzajfmRgouUoOxtxItXlqzRszMCuguXVRRJBbHmvTH
+dpKcNT3MTJjN8wtqRLAsjG3xFRrpilnHjCgQQZJWMfzlaSI/6hiB5cWnCyIpINxe
+liaMDWRK5U25sCrNuF2fH47EnozWNoaOmU3QHvCW7tHMnA/+UC7J8YnvavfvkAfn
+NE63Uo6TqLjkgtRpLmBf2CBM
 -----END CERTIFICATE-----
-subject=/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org
+subject=/C=DE/OU=Domain Control Validated/CN=mx1.nausch.org
-issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
+issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 ---
-No client certificate CA names sent
+Acceptable client certificate CA names
-Server Temp Key: ECDH, secp384r1, 384 bits
+/C=DE/L=Munich/ST=Bavaria/O=Stadtsparkasse Muenchen (OnlineCA)/OU=OA/CN=SSKM CA/DC=sskm/DC=de
+/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+/C=DE/O=Stadtsparkasse Muenchen/OU=OA/CN=SSKM ROOT CA
+/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
+/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
+/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
+/C=US/ST=New Jersey/L=Jersey City/O=Positive Software Corporation/CN=LiteSSL CA
+/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
+/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
+/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
+/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
+/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
+/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
+/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
+/C=DE/ST=Bayern/L=Pliening/O=nausch.org/OU=IT-Monitoring/CN=graylog CA/emailAddress=graylog-admin@nausch.org
+/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
+/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
+/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
+/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
+/C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA
+/C=US/O=AffirmTrust/CN=AffirmTrust Commercial
+/C=US/O=AffirmTrust/CN=AffirmTrust Networking
+/C=US/O=AffirmTrust/CN=AffirmTrust Premium
+/C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
+/C=US/O=Amazon/CN=Amazon Root CA 1
+/C=US/O=Amazon/CN=Amazon Root CA 2
+/C=US/O=Amazon/CN=Amazon Root CA 3
+/C=US/O=Amazon/CN=Amazon Root CA 4
+/CN=Atos TrustedRoot 2011/O=Atos/C=DE
+/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
+/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
+/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
+/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA
+/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
+/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT
+/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
+/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
+/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
+/C=FR/O=Dhimyotis/CN=Certigna
+/C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Root CA
+/C=FR/O=Certplus/CN=Class 2 Primary CA
+/C=FR/O=Certplus/CN=Certplus Root CA G1
+/C=FR/O=Certplus/CN=Certplus Root CA G2
+/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
+/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
+/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
+/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
+/O=Cybertrust, Inc/CN=Cybertrust Global Root
+/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009
+/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009
+/O=Digital Signature Trust Co./CN=DST Root CA X3
+/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
+/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
+/C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority
+/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
+/C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
+/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
+/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
+/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1
+/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
+/C=CN/O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD./CN=GDCA TrustAUTH R5 ROOT
+/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
+/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
+/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
+/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
+/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
+/OU=GlobalSign ECC Root CA - R4/O=GlobalSign/CN=GlobalSign
+/OU=GlobalSign ECC Root CA - R5/O=GlobalSign/CN=GlobalSign
+/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
+/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
+/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
+/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
+/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
+/C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015
+/C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011
+/C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2015
+/C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
+/C=US/O=Internet Security Research Group/CN=ISRG Root X1
+/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
+/C=US/O=IdenTrust/CN=IdenTrust Public Sector Root CA 1
+/C=ES/O=IZENPE S.A./CN=Izenpe.com
+/C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2
+/C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu
+/C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
+/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
+/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
+/C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GB CA
+/C=FR/O=OpenTrust/CN=OpenTrust Root CA G1
+/C=FR/O=OpenTrust/CN=OpenTrust Root CA G2
+/C=FR/O=OpenTrust/CN=OpenTrust Root CA G3
+/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
+/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3
+/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
+/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
+/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
+/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3
+/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority ECC
+/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority RSA R2
+/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority ECC
+/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority RSA
+/C=PL/O=Krajowa Izba Rozliczeniowa S.A./CN=SZAFIR ROOT CA2
+/C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11
+/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
+/C=US/O=SecureTrust Corporation/CN=Secure Global CA
+/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
+/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
+/C=FI/O=Sonera/CN=Sonera Class2 CA
+/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA
+/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2
+/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
+/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
+/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
+/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
+/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
+/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
+/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
+/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 3
+/C=TR/L=Gebze - Kocaeli/O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK/OU=Kamu Sertifikasyon Merkezi - Kamu SM/CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
+/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
+/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority
+/C=TW/O=Government Root Certification Authority
+/O=TeliaSonera/CN=TeliaSonera Root CA v1
+/C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor ECA-1
+/C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-1
+/C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-2
+/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
+/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E./CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5
+/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
+/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
+/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
+/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
+/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
+/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
+/C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root
+/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
+/C=RO/O=certSIGN/OU=certSIGN ROOT CA
+/C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority
+/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
+/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
+Client Certificate Types: RSA sign, DSA sign, ECDSA sign
+Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
+Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
+Peer signing digest: SHA512
+Server Temp Key: ECDH, P-384, 384 bits
 ---
-SSL handshake has read 4057 bytes and written 442 bytes
+SSL handshake has read 19640 bytes and written 494 bytes
 ---
-New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
+New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
-Server public key is 2048 bit
+Server public key is 384 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
+No ALPN negotiated
 SSL-Session:
     Protocol  : TLSv1.2
-    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
+    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
-    Session-ID: 73C80E733671FD4E5012E569A1C6B8053DC7CCD7D5BAA7CB824A7608B14E0F87
+    Session-ID: 00E14958A9E2CCF094B038EB453E036859E4CDED4B1041968E22986E6C267083
     Session-ID-ctx:
-    Master-Key: 24BA85939899214B7F27361C9BE49B3BA8756F3FCBF6B504346CF4CD17445A26A0F91BF1495B35F632ECDEEAFD8A3F93
+    Master-Key: 3CDED76860B11143F71233200F8F63059491E854E0D2E10DB719DB6CD58C4AF53A7387507ED94BB229D4785A33A1CDEE
     Key-Arg   : None
     Krb5 Principal: None
@@ Zeile 3228: / Zeile 3376: @@
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
-- a1 0e 3f 20 a4 82 fc 58-2e 40 23 06 99 ac 5a d1   ..? ...X.@#...Z.
+- 21 d5 ca a3 29 93 27 53-18 10 fc cb c3 05 95 21   !...).'S.......!
-- 86 06 3a 5c 57 99 91 70-6a df ec ba 04 65 43 a5   ..:\W..pj....eC.
+- 72 db f9 54 aa 9e 5b 7e-72 11 77 c2 5b 35 3c 23   r..T..[~r.w.[5<#
-- 45 03 af 61 3d 59 10 f8-eb 6a 94 aa 4c b7 50 82   E..a=Y...j..L.P.
+- 5e eb e6 f7 15 06 4e 7e-53 14 b3 32 14 2b ac 29   ^.....N~S..2.+.)
-- b6 ca a1 be 4f 10 fa 67-a5 90 fa f9 92 fe 3c 79   ....O..g......<y
+- 8a fd 9b 8e d7 a5 58 a7-05 df 6f 74 26 1a be 19   ......X...ot&...
-- 57 bf 34 22 83 47 db f7-5c 8e fc 5b d5 25 f4 47   W.4".G..\..[.%.G
+- cf e2 86 b8 56 70 1d 5f-40 15 50 e5 bc 00 c2 f5   ....Vp._@.P.....
-- 16 cf 5c 05 f9 0d 96 aa-92 9d 11 ff 68 dc 56 3b   ..\.........h.V;
+- 8b a1 41 d8 4d 55 da a0-e3 a2 75 ff 5d 19 e4 12   ..A.MU....u.]...
-- 8e 02 99 79 a1 ba 31 68-38 91 1e 4e 51 94 aa 64   ...y..1h8..NQ..d
+- a0 aa cb 43 d9 53 9c d7-76 51 c2 dc 7c 69 b5 fa   ...C.S..vQ..|i..
-- 0a 73 fd 0f b3 e2 74 ab-71 ed ad 2e 5d e8 ac 7c   .s....t.q...]..|
+- dd 32 82 a4 80 ef 13 b2-4a 75 02 ed d3 c3 78 08   .2......Ju....x.
-- 41 6e d1 2c 7a 28 30 98-b1 33 3b 34 55 34 b4 30   An.,z(0..3;4U4.0
+- f5 52 c8 c2 d7 53 80 4d-0c 5b 90 93 f1 d2 af cf   .R...S.M.[......
-- 23 30 69 4b ac 01 76 5d-5f c9 6a 42 14 0c 05 d8   #0iK..v]_.jB....
+- 7f a8 fa 63 06 dc 39 91-ad fd f0 c3 d5 30 a2      ...c..9......0.
+a0 - <SPACES/NULS>
-    Start Time: 1414359330
+    Start Time: 1550179126
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
 ---
- DSN
+ 8BITMIME
 quit
 2.0.0 Bye
@@ Zeile 3255: / Zeile 3404: @@
 Die Verbindung wurde uns im Maillog entsprechend positiv quittiert:
-<code>Oct 26 22:35:30 vml000087 postfix/smtpd[22081]: connect from vml000087.dmz.nausch.org[10.0.0.87]
+<code>Feb 14 22:35:30 vml000087 postfix/smtpd[22081]: connect from vml000087.dmz.nausch.org[10.0.0.87]
-Oct 26 22:35:30 vml000087 postfix/smtpd[22081]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
+Feb 14 22:35:30 vml000087 postfix/smtpd[22081]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Oct 26 22:35:34 vml000087 postfix/smtpd[22081]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
+Feb 14 22:35:34 vml000087 postfix/smtpd[22081]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 </code>
@@ Zeile 3264: / Zeile 3413: @@
 Mit nachfolgendem Aufruf kann überprüft werden, welche Ciphers angeboten werden.
-   # /usr/local/src/cipherscan-master/cipherscan -o /usr/local/src/cipherscan-master/openssl --curves -starttls smtp mx1.nausch.org:587
+   # /usr/local/src/cipherscan/cipherscan -o /usr/local/src/cipherscan/openssl --curves -starttls smtp mx1.nausch.org:587
 <code>.....................................
@@ Zeile 3295: / Zeile 3444: @@
 Die Bewertung der einzelnen Chiffren müssen wir hier immer noch selbst vornehmen; hilfreiche Informationen hierzu findet man z.B. im Buch **//[[https://www.feistyduck.com/books/bulletproof-ssl-and-tls/|BULLETPROOF SSL AND TLS]]//** von **[[http://blog.ivanristic.com/|Ivan Ristić]]**. Wir können aber auch zur genauen Bewertung der TLS-Verwundbarkeit unseres SMTP-Servers auf das nachfolgend beschriebene Projekt **[[centos:mail_c7:mta_5#testssl|testssl]]** zurückgreifen.
 ==== testssl ====
@@ Zeile 3303: / Zeile 3451: @@
 Zum Testen unseres SMTP-Servers nutzen wir nachfolgenden Aufruf.
-   # testssl.sh --starttls smtp 10.0.0.87:25
+   # testssl --starttls smtp mx1.nausch.org:25
 Als Ergebnis erhalten wir eine ausführliche Aufstellung zum TLS-Gesundheitszustandes unseres Servers.
@@ Zeile 3311: / Zeile 3459: @@
 <font style="color: rgb(0, 0, 0)">
 <b>###########################################################
-    testssl.sh       2.6 from https://testssl.sh/
+    testssl.sh       2.9.5 from https://testssl.sh/
     (</font><font style="color: rgb(104, 104, 104)">1.379c 2015/09/29 16:47:47</font><font style="color: rgb(0, 0, 0)">)
@@ Zeile 3322: / Zeile 3470: @@
 ###########################################################
 </b>
-Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers] on
+Using "OpenSSL 1.1.1a FIPS  20 Nov 2018" [~186 ciphers]
- vml000087.dmz.nausch.org:/root/bin/openssl.Linux.x86_64
+ on T410:/usr/bin/openssl
- (built: "Jul  6 18:05:33 2015", platform: "linux-x86_64")
+ (built: "Jan 15 14:37:19 2019", platform: "linux-x86_64")
-<font style="background-color:black"><font style="color: rgb(255, 255, 255)">Testing now (2015-10-13 12:54) ---> 10.0.0.87:25 (10.0.0.87) <---</font></font>
+<font style="background-color:black"><font style="color: rgb(255, 255, 255)">Start 2019-02-14 22:43:48        -->> 10.0.0.87:587 (10.0.0.87) <<--</font></font>
  rDNS (10.0.0.87):       vml000087.dmz.nausch.org.
@@ Zeile 3428: / Zeile 3576: @@
-<font style="background-color:black"><font style="color: rgb(255, 255, 255)">Done now (2015-10-13 12:55) ---> 10.0.0.87:25 (10.0.0.87) <---</font></font>
+<font style="background-color:black"><font style="color: rgb(255, 255, 255)">Done 2019-02-14 22:46:04 [  30s] -->> 217.92.13.131:25 (mx1.nausch.org) <<--</font></font>
 </pre></html>
 ==== ssl-tools.net ====
@@ Zeile 3446: / Zeile 3595: @@
 Der verschlüsselte Transportweg wird in der Headerzeilen einer eMail entsprechend vermerkt:
 <code>Received: from mx1.tachtler.net (mx1.tachtler.net [88.217.171.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested)
-	   by mx1.nausch.org (Postfix) with ESMTP for <michael@nausch.org>; Thu, 26 Mar 2009 09:30:36 +0100 (CET)</code>
+	   by mx1.nausch.org (Postfix) with ESMTP for <michael@nausch.org>; Thu, 14 Feb 2019 19:13:37 +0100 (CET)</code>
 Auch im **Maillog** wird die gesicherte Kommunikation protokolliert:
-<code>Mar 26 23:40:40 nss postfix/smtp[18519]: setting up TLS connection to mx1.tachtler.net
+<code>Feb 14 19:13:37 nss postfix/smtp[18519]: setting up TLS connection to mx1.tachtler.net
-Mar 26 23:40:40 nss postfix/smtp[18519]: TLS connection established to mx1.tachtler.net: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
+Feb 14 19:13:37 nss postfix/smtp[18519]: TLS connection established to mx1.tachtler.net: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Mar 26 23:40:52 nss postfix/smtp[18519]: ECC0E1158526: to=<root@tachtler.net>, relay=mx1.tachtler.net[88.217.171.167]:25, delay=13, delays=0.01/0.14/0.81/12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D7C7141582)</code>
+Feb 14 19:13:37 nss postfix/smtp[18519]: ECC0E1158526: to=<root@tachtler.net>, relay=mx1.tachtler.net[88.217.171.167]:25, delay=13, delays=0.01/0.14/0.81/12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D7C7141582)</code>
 ==== TLS-Verkehrsstatistik ====
-Bei bedarf können wir uns bei unserem Mailserver, mit Hilfe der nachfolgenden Befehle, einen Überblick über Anzahl und Art der einzelnen TLS-Verbindungen anzeigen lassen.
+Bei Bedarf können wir uns bei unserem Mailserver, mit Hilfe der nachfolgenden Befehle, einen Überblick über Anzahl und Art der einzelnen TLS-Verbindungen anzeigen lassen.
 === ankommender TLS-Verkehr ===
-   # grep 'TLS connection established from' /var/log/maillog | sed -e 's/^.*\]\: //' -e 's/ with cipher.*//' | sort | uniq -c
+Wieviele verschlüsselte Verbindungen unser MTA angenommen hat, verrät uns ein Blick in das Maillog. Dort suchen wir nach den entsprechenden Zeilen mit z.B. mit folgender Abfrage.
-<code>  42184 TLSv1
+   # egrep "TLS connection established from.*with cipher" /var/log/maillog | awk '{printf("%s\n", $12)}'  \
-TLSv1.2</code>
+           | sort | uniq -c | sort -nr
+<code>193593 TLSv1.2
+TLSv1
+TLSv1.1
+</code>
+Eine Aufstellung der unterschiedlichen Protokolle mit den verwendeten Ciphern ermitteln wir mit folgendem Befehl:
+   # egrep "TLS connection established from.*with cipher" /var/log/maillog | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' \
+           | sort | uniq -c | sort -nr
+<code> 238038 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
+TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384
+TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384
+TLSv1 with cipher DHE-RSA-AES256-SHA
+TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA384
+TLSv1 with cipher ECDHE-RSA-AES256-SHA
+TLSv1 with cipher ECDHE-ECDSA-AES256-SHA
+TLSv1.2 with cipher AES256-GCM-SHA384
+TLSv1.2 with cipher DHE-RSA-AES256-SHA256
+TLSv1.2 with cipher ECDHE-RSA-AES256-SHA
+TLSv1.1 with cipher ECDHE-RSA-AES256-SHA
+TLSv1.1 with cipher ECDHE-ECDSA-AES256-SHA
+TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
+TLSv1.2 with cipher AES256-SHA256
+TLSv1.2 with cipher AES256-SHA
+TLSv1.2 with cipher AES128-GCM-SHA256
+TLSv1.2 with cipher AES128-SHA256
+TLSv1.2 with cipher AES128-SHA
+TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256
+TLSv1.2 with cipher ECDHE-RSA-AES128-SHA
+TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
+TLSv1.2 with cipher DHE-RSA-CAMELLIA256-SHA
+TLSv1.2 with cipher DHE-RSA-CAMELLIA128-SHA
+TLSv1.2 with cipher DHE-RSA-AES256-SHA
+TLSv1.2 with cipher DHE-RSA-AES128-SHA256
+TLSv1.2 with cipher DHE-RSA-AES128-SHA
+TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256
+TLSv1.1 with cipher AES256-SHA
+TLSv1 with cipher AES256-SHA
+TLSv1 with cipher AES128-SHA
+TLSv1.2 with cipher CAMELLIA256-SHA
+TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA
+TLSv1.2 with cipher CAMELLIA128-SHA
+TLSv1.1 with cipher AES128-SHA
+TLSv1 with cipher ECDHE-RSA-AES128-SHA
+TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA
+TLSv1 with cipher DHE-RSA-CAMELLIA128-SHA
+TLSv1 with cipher DHE-RSA-AES128-SHA
+TLSv1 with cipher CAMELLIA256-SHA
+TLSv1 with cipher CAMELLIA128-SHA
+TLSv1.2 with cipher ECDHE-ECDSA-AES128-SHA256
+TLSv1.2 with cipher ECDHE-ECDSA-AES128-SHA
+TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256
+TLSv1.1 with cipher ECDHE-RSA-AES128-SHA
+TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA
+TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA
+TLSv1.1 with cipher DHE-RSA-AES256-SHA
+TLSv1.1 with cipher DHE-RSA-AES128-SHA
+TLSv1.1 with cipher CAMELLIA256-SHA
+TLSv1.1 with cipher CAMELLIA128-SHA
+TLSv1 with cipher ECDHE-ECDSA-AES128-SHA
+TLSv1.1 with cipher ECDHE-ECDSA-AES128-SHA</code>
 === ausgehender TLS-Verkehr ===
+Wollen wir wissen wieviele TLS gesichete Verbindungen unser Mailserver zu anderen aufbaut können wir dies wie folgt abrufen
    # grep 'TLS connection established to' /var/log/maillog | sed -e 's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c
-<code>  69741 TLSv1
+<code>  324664 TLSv1.2</code>
- TLSv1.1
- TLSv1.2</code>
+Wollen wir wissen welche Cipher bei den unterschiedlichen Protokollen verwendet wurden, fragen wir dies mit folgendem Befehl ab:
+   # egrep "TLS connection established to.*with cipher" /var/log/maillog | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' \
+             | sort | uniq -c | sort -nr
+<code> 181337 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
+TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
+TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
+TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384
+TLSv1.2 with cipher DHE-RSA-AES256-SHA256
+ TLSv1.2 with cipher AES256-GCM-SHA384</code>
 === graphische Übersicht des TLS-Clientverkehrs ===