I think i found solution to this, by modifying default high list to: tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk? thanks, _ Zbyszek Żółkiewski > Wiadomość napisana przez Zbyszek Żółkiewski <t...@onefellow.com> w dniu > 13.04.2017, o godz. 13:33: > > Hi all, > > Question: postfix 2.11: I have configured both RSA and ECDSA support on the > server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA > works great - however ECDSA is _never_ selected as cipher for sending or > receiving mails. > To check if it is properly configured i have disabled RSA support and running > server only with ECDSA and i confirm it works with gmail servers for example > (cipher ECDHE-ECDSA…). > Is there any way i can force postfix to first try ECDHE-ECDSA… and then > fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck… > > thanks, > > _ > Zbyszek Żółkiewski >
