On Thu, Aug 21, 2025 at 10:35 AM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote:
> On Thu, Aug 21, 2025 at 10:22:04AM +0300, Avram-Teodor Berindeie via > Postfix-users wrote: > > > Apache and Dovecot offer an option to disable it, that's why I asked. > > For now, if there is no parameter, it remains as is without the suggested > > changes in main.cf. > > Thank you! > > I am not entirely sure what you're trying to say above, but should > clarify that with solid support in Postfix to use a custom "openssl.cnf" > file and/or set a custom application name (perhaps even different names > for different master.cf services) it doesn't really make sense to keep > adding Postfix parameters to mirror every new OpenSSL feature. > > In particular, the new OpenSSL 3.5+ key exchange "Group" configuration > syntax, TLS 1.3 bulk ciphers and custom signature algorithm lists are > best handled via the OpenSSL configuration file. > > On the other hand, certificate chain configuration and TLS 1.2 ciphers > are better handled via the existing Postfix parameters. > > -- > Viktor. 🇺🇦 Слава Україні! > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org OK I tested it and it works, I have only one question? Do I need to copy the default openssl.conf file (located in the path /etc/ssl/openssl.conf) to the path /etc/postfix/ and add the settings suggested in the first answer to that file? I ask this because in this case, with each change to the default openssl.conf file (possible when updating openssl) I will have to recopy the file to the path /etc/postfix/ and add the settings again.
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
