Merge branch 'crypto' into 'master'

postfix: allow client to select the preferred cipher See merge request simple-nixos-mailserver/nixos-mailserver!412
2025-06-12 22:48:04 +00:00 · 2025-06-12 22:48:04 +00:00 · 54cb3e5784
commit 54cb3e5784
parent 8b27add088 f9b15192b8
1 changed files with 3 additions and 1 deletions
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -287,10 +287,12 @@ in
        smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
        smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";

-        tls_preempt_cipherlist = true;
+        # As long as all cipher suites are considered safe, let the client use its preferred cipher
+        tls_preempt_cipherlist = false;

        # Allowing AUTH on a non encrypted connection poses a security risk
        smtpd_tls_auth_only = true;
+
        # Log only a summary message on TLS handshake completion
        smtp_tls_loglevel = "1";
        smtpd_tls_loglevel = "1";