On Thu, Jan 8, 2026 at 5:22 PM Viktor Dukhovni via Postfix-devel <[email protected]> wrote: > > On Thu, Jan 08, 2026 at 02:49:47PM +0100, Geert Hendrickx via Postfix-devel > wrote: > > > On Thu, Jan 08, 2026 at 07:47:29 -0500, Wietse Venema via Postfix-devel > > wrote: > > > Fedor Vorobev via Postfix-devel: > > > > +#define VAR_TLS_SYSTEM_CLIST "tls_system_cipherlist" > > > > +#define DEF_TLS_SYSTEM_CLIST "PROFILE=SYSTEM" > > > > > > Why not reuse one of the existing *_cipherlist parameters? > > > For example, tls_medium_cipherlist = PROFILE=SYSTEM. > > > > Particularly since this PROFILE=SYSTEM is a Red Hat addition, it does not > > exist in standard OpenSSL. > > Not only that, but Postfix by default does not load the system-wide > "openssl.cnf" file, so I would not expect "PROFILE=SYSTEM" to work, > unless it is somehow bolted into the OpenSSL library without needing > any configuration file support. > IMHO for Fedora/RHEL downstream patched openssl it should work, but it's a good argument that in the current state it probably isn't useful for others/upstream.
> It is rather unclear why any of this is a good idea, the underlying > profile is NOT designed for opportunstic TLS or the SMTP ecosystem. > IMHO it could be used for hardening of the submission port. Anyway, thanks for the feedback and sorry for the noise thanks & regards Jaroslav _______________________________________________ Postfix-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
