> On Apr 13, 2017, at 7:33 AM, Zbyszek Żółkiewski <t...@onefellow.com> wrote: > > Question: postfix 2.11: I have configured both RSA and ECDSA support on the > server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA > works great - however ECDSA is _never_ selected as cipher for sending or > receiving mails. > To check if it is properly configured i have disabled RSA support and running > server only with ECDSA and i confirm it works with gmail servers for example > (cipher ECDHE-ECDSA…). > Is there any way i can force postfix to first try ECDHE-ECDSA… and then > fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…
OpenSSL prefers ECDSA to RSA by default. However, it also generally accepts the client's cipher preference order. To use the server's preference list set: $ tls_preempt_cipherlist = yes DO NOT change the "tls_{high,medium,...}_cipherlist" settings. -- Viktor.