Hi, yes it's quite old but nonetheless I did not say that the ESA does not support ECDSA (I'm no ESA export at all) but it's not enabled (at least not on the instances that were trying to send mails to us). And yes that is an ESA operator problem but their mails will not arrive at hosts that use ECC certificates but on all with RSA certificates. After they changed the settings mails are flowing in. So this was just an info for members of the list, that such problems exist. And maybe there are other systems which might have similar issues.
Regards Norbert -----Ursprüngliche Nachricht----- Von: mailop <[email protected]> Im Auftrag von Viktor Dukhovni via mailop Gesendet: Dienstag, 18. März 2025 14:31 An: [email protected] Cc: Viktor Dukhovni <[email protected]> Betreff: Re: [mailop] ECC Certificate for SMTP TLS On Tue, Mar 18, 2025 at 09:39:16AM +0000, Fehlauer, Norbert via mailop wrote: > Just wanted to share some insights after using the ECC certificates on > a few MTAs over the past month. I only did see problems with sending > Cisco ESA's, which don't have ECC certificate support enabled for > outbound traffic in their default configuration as it seems: > https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200169-Configure-ESA-to-prefer-Perfect-Forward.html#anc8 > > Other sending MTAs did not pop up to my attention so far. That document is ~7 years old, and quite outdated, it predates broad adoption of TLS 1.3. Nevertheless even there, the text stats that at the time ESAs did support ECDHE and ECDSA outbound, they just did not prefer these by default: For OUTBOUND SMTP traffic, the ESA in addition to INBOUND supports ECDHE and ECDSA Certificates. Is there are some ESA systems that don't support ECDSA, that's likely a result of poor non-default choces of settigngs by the device operator. -- Viktor. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
