On Tue, Feb 13, 2024 at 01:20:00PM -0500, Wietse Venema via Postfix-users wrote:
> > Obsoleted by automatic negotiation in the SSL code: > > > > - smtpd_tls_dh1024_param_file = auto > > - smtpd_tls_eecdh_grade = auto > > > > [ We could delete the underlying support code for the explicit choices, > > and always use 'auto' with a warning if the configuration specifies > > a different choice. Mind you, automatic DH group negotiation is > > prone to choosing largish > 2048-bit groups, when the server will sign > > with a large RSA private key, but this feels somewhat justifiable. ] > > Isn't that TLS version dependent, or have we already lost support for > the old way? For EECDH, "auto" has worked for a long time, and is basically an interoperability requirement! Automatic (FF)DH group selection in the SSL stack requires OpenSSL 3.0, but recent Postfix versions emulate "auto" by using a compiled in DH group, which is quite "good enough" in practice. So "auto" already works. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org