On Tue, Jan 06, 2026 at 12:03:32PM +0100, A.Schulze via Postfix-users wrote:
> Viktor wrote [1] some days ago:
>
> > the best thing to do, as with most of the cryptographic
> > parameters, is to leave them at their default values.
>
> So, I like to ask if/when it makes sense to use
> 'smtp_tls_session_cache_database'
> Maybe the empty default can save me from some future trouble...
SOme non-default TLS-related parameter settings are just fine, my advice
boils down to avoiding knee-jerk turning up the crypto to 11,
You still need to provision TLS server certificates, turn on basic
(level 1) logging, enable TLS session caching if some of your mail is
often enough going to the same set of servers to make the session cache
effective.
Postfix doesn't yet explicitly log that a TLS handshake was resumed,
but with TLS 1.3 there's indirect evidence int the "level 1" connection
summary message, because the "server-signature" algorithm is then
missing.
Thus, for example, my logs show:
# tail -n10000 /var/log/postfix/log |
grep -P 'TLS connection established to \S+: TLSv1.3 (?!.*?
server-digest )'
Jan 05 16:07:13 ...: Verified TLS connection established to
list.sys4.de[45.90.5.195]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
x25519
It seems that I've make a habit of posting to this list... Not long
before that:
Jan 05 15:48:52 ...: Verified TLS connection established to
list.sys4.de[45.90.5.195]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
x25519
server-signature ECDSA (secp384r1) server-digest SHA384
If resumption is rare on your server, you're better off without a
session cache, if it is frequent enough, it can be useful, though really
only "needed" to support high-volume mail traffic on busy ISP or large
corporate servers.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
