i'm prepping postfix tls on the way to DANE implementation
current check with
testssl -t smtp mx.example.com:25
reports,
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11"
"session ticket/#35"
"supported versions/#43" "key share/#51" "max
fragment length/#1"
"extended master secret/#23"
Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to
be rotated < daily
SSL Session ID support yes
??? Session Resumption Tickets: yes, ID resumption test failed,
pls report
TLS clock skew Random values, no fingerprinting possible
Server Certificate #1
Signature Algorithm SHA256 with RSA
Server key size RSA 4096 bits
...
Issuer R3 (Let's Encrypt from US)
...
OCSP URI http://r3.o.lencr.org
OCSP stapling not offered
??? OCSP must staple extension requires OCSP stapling (NOT ok)
...
Server Certificate #2
Signature Algorithm SHA256 with RSA
Server key size EC 384 bits
...
Issuer R3 (Let's Encrypt from US)
...
OCSP URI http://r3.o.lencr.org
OCSP stapling not offered
??? OCSP must staple extension requires OCSP stapling (NOT ok)
From comments I've found (not yet anything official),
"OCSP stapling not offered"
for Postfix is
(1) expected
(2) won't change
(3) doens't 'break' any operation, using the LE certs
Is that correct? I.e., can be safely ignored?
The other ??? item,
"Session Resumption Tickets: yes, ID resumption test failed, pls
report"
I've not found any guidance on at all, yet.
For postfix, do I care?
And if so, what/where is a fix?
