On Thu, Jan 08, 2026 at 02:49:47PM +0100, Geert Hendrickx via Postfix-devel
wrote:
> On Thu, Jan 08, 2026 at 07:47:29 -0500, Wietse Venema via Postfix-devel wrote:
> > Fedor Vorobev via Postfix-devel:
> > > +#define VAR_TLS_SYSTEM_CLIST "tls_system_cipherlist"
> > > +#define DEF_TLS_SYSTEM_CLIST "PROFILE=SYSTEM"
> >
> > Why not reuse one of the existing *_cipherlist parameters?
> > For example, tls_medium_cipherlist = PROFILE=SYSTEM.
>
> Particularly since this PROFILE=SYSTEM is a Red Hat addition, it does not
> exist in standard OpenSSL.
Not only that, but Postfix by default does not load the system-wide
"openssl.cnf" file, so I would not expect "PROFILE=SYSTEM" to work,
unless it is somehow bolted into the OpenSSL library without needing
any configuration file support.
Any such feature requires careful documentation, because Postfix would
need to load the relevant configuration files, and then suffer the
consequences of reduced TLS interoperability as various TLS feaetures
still somewhat common in SMTP are turned off.
It is rather unclear why any of this is a good idea, the underlying
profile is NOT designed for opportunstic TLS or the SMTP ecosystem.
Any masochist who wants to pile on non-default exclusions in TLS 1.2
cipherlists can do that (or change one of the existing underlying lists)
without introducing a new ciphergrade.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
