Let pci_compliance_resolver --enable postfix also set FORWARD SECURITY and go dor TLSv1.3
Even though server supports TLS 1.2, the cipher suite configuration is suboptimal. It is recommend to configure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite!
also there is TLSv3 https://tools.ietf.org/html/rfc8446
(and draft is used already a long time by many;)
http://www.postfix.org/TLS_README.html
And while Playing on Mailserver think about MTA Strict Transport Security (Draft standard) and Email DANE / TLSA.
THX
H50K
shared this idea
This is a valid request, so we’ll look into it. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features. Thanks in advance!
— rk
-
H50K
commented
./acme.sh --issue -d mail.domain.tld --keylength ec-384
./acme.sh --issue -d mail.domain.tld --keylength 4096It would be so nice to meet up2date *uh* actualy not brand new :-D Security preferences!
And it is not that hard to implement....