Hi Viktor, On Saturday, 02 Aug 2014 15:32 +0000, Viktor Dukhovni wrote:
> > I've noticed, that my Postfix installation does select in some > > caes (especially if Postfix is running on both ends) > > AECDH-AES256-SHA instead of ECDHE-RSA-AES256-GCM-SHA384. The > > receiving Postfix does support ECDHE-RSA-AES256-GCM-SHA384 and > > connections with that cipher are possible. > > > > But if Postfix connects to that server, it uses only > > AECDH-AES256-SHA. Unfortunately, I'm not able to find the reason > > for this behaviour. > > This is by design. With opportunistic encryption, which entails no > certificate checks, Postfix profers anonymous diffie-hellman (DH), > and the elliptic curve variant thereof to ciphersuites that use > futile certificates. Ok, thanks for clarifying. Ihsan -- ih...@dogan.ch http://blog.dogan.ch/
