The following patch from OpenBSD is missing from Gentoo, causing auto selection of EC curves to not work: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/mail/postfix/snapshot/patches/Attic/patch-src_tls_tls_dh_c?rev=1.2&content-type=text/x-cvsweb-markup This affects the setting "smtpd_tls_eecdh_grade", which by default is set to "auto". This causes postfix to lose eecdh support when the patch is not applied. It still works when it's set to another setting like "strong" or "ultra". More information is also available in this FreeBSD bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216790 I've applied the patch locally and postfix then works as expected, i.e. it auto-selects prime256v1, secp521r1, secp384r1 or X25519 depending on the client. This can be tested with the ImmuniWeb® SSLScan tool at https://www.htbridge.com/ssl/.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07c745adf5d94a8696c7830763e3714c467f95e6 commit 07c745adf5d94a8696c7830763e3714c467f95e6 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2018-06-27 06:07:30 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2018-06-27 06:07:30 +0000 mail-mta/postfix: fix eccurve selection for libressl Closes: https://bugs.gentoo.org/659224 Package-Manager: Portage-2.3.40, Repoman-2.3.9 .../postfix/files/postfix-libressl-eccurve.patch | 16 ++ mail-mta/postfix/postfix-3.3.1-r1.ebuild | 302 +++++++++++++++++++++ 2 files changed, 318 insertions(+)
