On 1 Jun 2020, at 23:28, PGNet Dev wrote:
and, have seen no immediately adverse effects in mail flow. far from robust testing at this point
You won't see enough change in overall flow to see a difference above regular noise.
What you need to look at is how senders actually connect.
i don't have any idea of what the stats are; thought best to ask -- as for mail, it's still arguably hit-and-miss for deliverability with disabling 'older tech' ciphers, etc., depending on your service case.
Set "smtpd_tls_loglevel = 1" to get smtpd to record the cryptographic parameters opf every TLS connection and you will have enough depth of data to make a decision.
is it safe/recommended to not bother with the rsa certs anymore?
I haven't tried it, but I would guess that it is not entirely safe. I still see some senders connecting with TLSv1.0, which implies the use of badly outdated and flawed TLS implementations. I don't think it is a good idea to see how many of those (and the TLSv1.3 clients who still use RSA) will break if I narrow what Postfix will accept.
-- Bill Cole [email protected] or [email protected] (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
