> On Apr 13, 2017, at 7:33 AM, Zbyszek Żółkiewski <t...@onefellow.com> wrote:
>
> Question: postfix 2.11: I have configured both RSA and ECDSA support on the
> server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA
> works great - however ECDSA is _never_ selected as cipher for sending or
> receiving mails.
> To check if it is properly configured i have disabled RSA support and running
> server only with ECDSA and i confirm it works with gmail servers for example
> (cipher ECDHE-ECDSA…).
> Is there any way i can force postfix to first try ECDHE-ECDSA… and then
> fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…
OpenSSL prefers ECDSA to RSA by default. However, it also generally
accepts the client's cipher preference order. To use the server's
preference list set:
$ tls_preempt_cipherlist = yes
DO NOT change the "tls_{high,medium,...}_cipherlist" settings.
--
Viktor.
