in pfx 3.10.7
for external, received mail, in main.cf, i've
...
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
...
smtpd_tls_chain_files =
${var_ssldir}/${var_mydom}/priv.ec.key,
${var_ssldir}/${var_mydom}/fullchain.ec.crt.pem,
${var_ssldir}/${var_mydom}/priv.rsa.key,
${var_ssldir}/${var_mydom}/fullchain.rsa.crt.pem
...
. the certs -- both EC and RSA -- are LetsEncrypt standard issue.
works as intended; dane checks are good.
for internal, between local pfx instances i setup specific relay, using
self-signed certs issued by own/local CA
e.g.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
-o
smtp_tls_chain_files=${var_ssldir}/int/int.mx.example.com.client.EC.key.pem,${var_ssldir}/int/int.mx.example.com.client.EC.crt.pem
-o smtp_tls_policy_maps=${def_db_type}:${cfg_dir}/relay_tls_policy
-o smtp_tls_fingerprint_digest=sha256
where, to date, it's EC only.
again, works as intended.
i've set up a new (test) CA instance -- to come up to speed on PQC usage.
the CA's root/intermediate are PQC algo signed.
client/server certs, issued from that CA, are now available in 'four flavors':
RSA, EC, Ed25519, PQC.
internally, PQC is now used for local-only/internal self-signed ssl. so far so
good with web & ssh.
iiuc, PQC for public-facing LE & DNSSEC in general is early-days,
https://www.ietf.org/archive/id/draft-sheth-pqc-dnssec-strategy-00.html
what part does/can PQC yet play 'in' Postfix?
too early for public-facing 'smtpd_tls_chain_files', i assume?
what about internal use between non-public-facing/internal pfx instances?
my impression is -- leave any/all public-facing pfx crypto alone/as-is for now,
but that internal relays might be ok ... ?
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
