for websites it seems that, for all practical purposes, ecc ssl certs are all
that's needed anymore
cref e.g. comments at
https://www.thesslstore.com/blog/you-should-be-using-ecc-for-your-ssl-tls-certificates/
" ... All modern Operating Systems and Browsers support ECC ..."
for my sites, i don't care about failing service to those using old browsers.
does the same hold true for smtp(d)?
in postfix, i've had for the longest time overrides in my main.cf,
smtpd_tls_eckey_file = /etc/ssl/postfix/privkey_ec.pem
smtpd_tls_eccert_file = /etc/ssl/postfix/fullchain.ec.crt.pem
smtpd_tls_key_file = /etc/ssl/postfix/privkey_rsa.pem
smtpd_tls_cert_file = /etc/ssl/postfix/fullchain.rsa.crt.pem
with letsencrypt happily renewing both the ecc & rsa algo certs,
as a 1st test i removed
smtpd_tls_eckey_file = /etc/ssl/postfix/privkey_ec.pem
smtpd_tls_eccert_file = /etc/ssl/postfix/fullchain.ec.crt.pem
- smtpd_tls_key_file = /etc/ssl/postfix/privkey_rsa.pem
- smtpd_tls_cert_file = /etc/ssl/postfix/fullchain.rsa.crt.pem
which iiuc drop back to 'empty' defaults of
postconf -d smtpd_tls_key_file smtpd_tls_cert_file
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_cert_file =
and, have seen no immediately adverse effects in mail flow. far from robust
testing at this point ...
i don't have any idea of what the stats are; thought best to ask -- as for
mail, it's still arguably hit-and-miss for deliverability with disabling 'older
tech' ciphers, etc., depending on your service case.
is it safe/recommended to not bother with the rsa certs anymore?
