On Wed, Dec 17, 2025 at 01:29:18PM +0100, Ralf Hildebrandt via mailop wrote:
> Once I present both, mimecast is failing.
Really not "present", rather "configure" or "offer".
When a client offers support for both, your server likely chooses ECDSA
over RSA, but you should be able to change their relative preference and
still offer both RSA and EC certs. Though in that case you'd very rarely
negotiate ECDSA, since very few clients will support only ECDSA, and
your server will always choose RSA when the client supports both.
With Postfix support for OpenSSL config files you can set:
main.cf:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
tls_preempt_cipherlist = yes
tls_exclude_ciphers = aDSS, SRP, PSK
tls_medium_cipherlist = $tls_high_cipherlist
#
# TLS 1.2: Prefer anon then RSA, then EC ciphers,
# and within those lists, prefer ECDHE over DHE:
#
tls_high_cipherlist =
kDHE:-kDHE:kECDHE:-kECDHE:ALL+aNULL:ALL+aRSA:ALL+aECDSA:@STRENGTH:@SECLEVEL=0
openssl.cnf:
postfix = postfix_init
[postfix_init]
ssl_conf = [postfix_tls]
[postfix_tls]
system_default = [tls_base_settings]
[tls_base_settings]
# In TLS 1.3, prefer RSA over ECDSA
#
SignatureAlgorithms =
rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512:rsa_pkcs1_sha1:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
> Once I present just the ECC certificate, mimecast is failing. Once I
> present ONLY the RSA certificate, all is well.
Only one certificate is ever "presented", but both are available, the
server chooses which to present among those supported by the client.
These clients clearly support both, so your server's choice which is the
preferred default, but if that's RSA, you're very unlikely to use
anything else, the client would have to implausibly not support RSA.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
