On Thu, Oct 23, 2025 at 08:44:02AM -0400, David Prall via mailop wrote:
> Followed instructions found here:
> https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200169-Configure-ESA-to-prefer-Perfect-Forward.html#anc8
>
I'm fairly confident that those instructions are rather dated, and that
ESA software surely enables support for ECC certificates and ECDHE key
exchange by default.
> > [InternalId=26474178412560, Hostname=edge02.systema-online.de] 7144
> > bytes in 4.764, 1,464 KB/sec Queued mail for delivery'.
That host does support ECDSA with a P-256 certificate, and prefers P-384
for key exchange, but also support P-256. It should be fine.
$ (sleep 2; printf 'QUIT\r\n') | openssl s_client -starttls smtp -brief
-connect edge02.systema-online.de:25
...
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-ECDSA-AES256-GCM-SHA384
Peer certificate: CN=edge02.systema-online.de
Hash used: SHA256
Signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, secp384r1, 384 bits
250 XSHADOW
DONE
$ (sleep 2; printf 'QUIT\r\n') | openssl s_client -starttls smtp -brief
-connect edge02.systema-online.de:25 -groups X25519:P-256
...
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-ECDSA-AES256-GCM-SHA384
Peer certificate: CN=edge02.systema-online.de
Hash used: SHA256
Signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
250 XSHADOW
DONE
As is overwhelmingly common, no additional RSA certificate:
$ (sleep 2; printf 'QUIT\r\n') | openssl s_client -starttls smtp -brief
-connect edge02.systema-online.de:25 -cipher aRSA -groups X25519:P-256
Connecting to 178.15.145.70
C010475D137F0000:error:0A000126:SSL routines::unexpected eof while
reading:ssl/record/rec_layer_s3.c:696:
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
