On Thu, Aug 21, 2025 at 4:53 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Thu, Aug 21, 2025 at 02:37:33PM +0300, Avram-Teodor Berindeie wrote:
>
> > > I am not entirely sure what you're trying to say above, but should
> > > clarify that with solid support in Postfix to use a custom
> "openssl.cnf"
> > > file and/or set a custom application name (perhaps even different names
> > > for different master.cf services) it doesn't really make sense to keep
> > > adding Postfix parameters to mirror every new OpenSSL feature.
> >
> > OK I tested it and it works, I have only one question?
> > Do I need to copy the default openssl.conf file (located in the path
> > /etc/ssl/openssl.conf)
>
> My typo upthread, it is of course "openssl.cnf" without the expected "o".
>
> > to the path /etc/postfix/ and add the settings suggested in the first
> > answer to that file?
>
> There's generally nothing there that's relevant to Postfix. By default
> Postfix does not load the system-wide openssl.cnf file. This avoids
> avoids collateral damage to opportunistic security in SMTP from overly
> strict security policy that is arguably appropriate for mandatory TLS.
>
> > I ask this because in this case, with each change to the default
> > openssl.conf file (possible when updating openssl) I will have to recopy
> > the file to the path /etc/postfix/ and add the settings again.
>
> No need. Only only to change the Postfix specific OpenSSL config file
> if your Postfix requirements change. Of course you can also use the
> system-wide file and just define a custom "tls_config_name", but since
> IIRC nothing else in that file is relevant to Postfix it hardly matters.
>
> --
> Viktor. 🇺🇦 Слава Україні!
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
Super OK!
My final solution:
In the main.cf file, add:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
In the Postfix configuration folder, the openssl.cnf file is created with
the following content:
# In the "default" section prior to any [named_section]
# The section names used below are arbitrary, name them
# as you see fit, but the "keys", to the left of the "="
# sign, must be as indicated and map to the section names
# you decided.
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = postfix_ssl_defaults
[postfix_ssl_defaults]
# See SSL_CONF_cmd(3). Best to avoid any settings here that may
# conflict with parameters that you can specify in main.cf. The
# TLS 1.3 cipherlist has no main.cf equivalent, so OK here. The
# "Groups" parameter is also ok, when configured as documented
# under "tls_eecdh_auto_curves" in postconf(5).
#
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
# Groups = ...
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
