Hello!
I like to be in compliance with the internet.nl mail server test.
Recently I got an advisory that SHA224 is to be phased out.
also google:
"SHA-224 is scheduled to be phased out and disallowed by the National
Institute of Standards and Technology (NIST) by December 31, 2030, due
to its low security strength compared to modern requirements"
I tried disabling it with:
smtpd_tls_signature_exclusion = SHA224
and also:
smtpd_tls_mandatory_ciphers = medium
smtp_tls_mandatory_ciphers = medium
tls_medium_cipherlist =
EECDH+AESGCM:EDH+AESGCM:ECDHE+CHACHA20:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA224
tls_preempt_cipherlist = yes
But it does not work and still shows it as active. I got it working
with:
AI suggested:
tls_config_file = /etc/postfix/tls_config.conf
with contents:
openssl_conf = postfix_tls
[postfix_tls]
ssl_conf = postfix_ssl_sect
[postfix_ssl_sect]
system_default = postfix_system_default
[postfix_system_default]
SignatureAlgorithms =
RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
This works - just wondering if it is normal that
smtpd_tls_signature_exclusion = SHA224 does not offer the desired result
alone.
Postfix 3.11.2 btw.
Is my setup okay like this?
Thanks
Luca
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
