On Wed, Jan 22, 2025 at 13:40:34 +1100, Viktor Dukhovni via Postfix-users wrote:
> Nothing in the Postfix config, but do note that on RedHat / Fedora
> systems there's also "crypto policy" that cranks up security to 11 to
> protect users against fairly exotic threats, so you end up with
> cleartext instead of reasonably, but not maximally secure TLS.
On RHEL 9 servers (which matches OP's postfix 3.5.25 and openssl 3.2.2)
you generally want to use `update-crypto-policies --set DEFAULT:SHA1`
for mailservers, to improve interoperability.
(for services other than mail, the defaults are probably fine)
Geert
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
