Hi,
I've noticed, that my Postfix installation does select in some
caes (especially if Postfix is running on both ends)
AECDH-AES256-SHA instead of ECDHE-RSA-AES256-GCM-SHA384. The
receiving Postfix does support ECDHE-RSA-AES256-GCM-SHA384 and
connections with that cipher are possible.
But if Postfix connects to that server, it uses only
AECDH-AES256-SHA. Unfortunately, I'm not able to find the reason
for this behaviour.
My Postfix TLS configuratin (same on both ends):
tls_random_source = dev:/dev/random
tls_preempt_cipherlist = yes
smtpd_tls_key_file = ${config_directory}/ssl/mail.dogan.ch.key
smtpd_tls_cert_file = ${config_directory}/ssl/mail.dogan.ch.crt
smtpd_tls_received_header = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_eecdh_grade = ultra
smtp_use_tls = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_mandatory_ciphers = high
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_loglevel = 1
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
Is there a reason why Postfix smtp behaves that way and how can I
change this?
Ihsan
--
ih...@dogan.ch http://blog.dogan.ch/
