Hello,
as documented [1], tls_eecdh_auto_curves configure "Postfix SMTP
client AND server".
This "AND" is hurts me a little bit:
Operating a submission-server, I know, my clients are capable of the
X25519MLKEM768 key-exchange.
But we have some remote destinations, unable to handle TLS, if the
smtp client offer X25519MLKEM768.
Looks like there are MTU issues somewhere. A TLS ClientHello paket is
usually ~400 byte "small", but extend to >1400 byte if X25519MLKEM768
is enabled.
Some outbound TLS connection fail, the SMTP client fall back to
plaintext, all messages to these destinations are deferred for ~5
minutes [2]
(my logs do not indicate such MTU trouble on DANE enabled remote
destinations, maybe better operator skills there?)
anyway: could I configure postfix fo offer X25519MLKEM768 at the
submission server but not, when acting as smtp client?
Andreas
[1] https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
[2] https://www.postfix.org/postconf.5.html#minimal_backoff_time
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
