On Wed, Nov 05, 2025 at 02:37:02PM -0500, pgnd via Postfix-users wrote:
> > Take into account that source deals with TLS for HTTPS.
> >
> > HTTPS and SMTP are two *totally* different things when it comes to TLS best
> > practices.
>
> the source has a selector that allows you to 'select' your server, and
> generate a server-specific config.
>
> e.g.,
>
> Postfix 3.10.5, OpenSSL 3.5.4, intermediate config
>
> https://ssl-config.mozilla.org/#server=postfix&version=3.10.5&config=intermediate&openssl=3.5.4&guideline=5.7
>
> 'generates' a postfix-specific config.
> you'd hope that'd be at least generally good, if not best, practice.
>
> but that's likely not the only point implied above.
Just because they know how to emit bad advice in a Postfix-specific
format, does not make it good advice. Frankly, I also don't consider
their advice to be good advice for HTTP, because it encourages users
to lock in a point-in-time selection of ciphers that:
- May not be a good match at a later point in time.
- May not be a good match when the user's software stack is updated.
- May not be a good match for the user's threat model.
The folks giving such advice usually heavily optimise for "attack
surface reduction", at the cost of interoperability or configuration
stability (you need to keep changing the settings regularly as
practices, software stacks and standards evolve).
My take is that for most users that is the wrong tradeoff. A sensibly
robust setting with better longevity serves most users better than a
fine-tuned point-in-time optimisation for unrealistic threats.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
