Viktor Dukhovni via Postfix-users:
> > PS. If I'm not mistaken, this is not an issue for RSA certificates,
> > since all key sizes are universally supported because RSA uses the same
> > algorithm.
>
> Actually it is, because even though RSA is a single algorith, not all
> implementations accept all key sizes, stick with *mainstream*
> parameters.
This is a fundamental difference between SMTP and TLS.
SMTP is stable.
TLS is a moving target.
The best strategy for TLS is to refresh every few years and to stick
with Postfix default settings, because those evolve over time.
The more you customize TLS settings, the higher the odds that you
lose interoperability, because your custom settings are frozen in
time.
The longer you stick with the same Postfix+TLS implementation, the
higher the odds that you lose interoperability, because all TLS
settings are frozen in time.
The intersection of frozen-in-time settings with reality gets
smaller over time.
This is not what I had in mind when I originally implemented Postfix
as an "install and forget, update when you get new hardware" thing,
but it is what it is.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
