Enabling post-quantum cryptography for Postfix on Debian 13 Trixie Link to heading
A few days ago Viktor Dukhovni sent an email to the Postfix users mailing list regarding post-quantum cryptography in Postfix.
This triggered me to investigate whether my mail server handles this correctly, and so I checked my mail server with the commands proposed by Mr Dukhovni:
$ (sleep 2; printf 'QUIT\r\n') |
openssl s_client -starttls smtp -connect your.server-fqdn.example:25 \
-groups "*X25519MLKEM768:*X25519:P-256:ffdhe3072" -state -brief
Note that you need to have OpenSSL 3.5 or higher installed for this to work.
Result:
Connecting to #.#.#.#
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN=my.server-fqdn.example
Hash used: SHA256
Signature type: ecdsa_secp256r1_sha256
Verification: OK
Peer Temp Key: X25519, 253 bits
250 CHUNKING DONE
SSL3 alert write:warning:close notify
So, it all seemed to work. However, on closer inspection, the key used is: X25519, a classical key, not a post-quantum key!
Are post-quantum keys not supported then on Debian 13?
They should be! After all, Debian 13 ships OpenSSL 3.5?
Let’s check which version of OpenSSL we have, whether it supports post-quantum cryptography; and then which version of Postfix we have, and what it was compiled against in terms of ssl:
$ openssl version
OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)
$ openssl list -kem-algorithms | grep -i mlkem
{ 2.16.840.1.101.3.4.4.1, id-alg-ml-kem-512, ML-KEM-512, MLKEM512 } @ default { 2.16.840.1.101.3.4.4.2, id-alg-ml-kem-768, ML-KEM-768, MLKEM768 } @ default { 2.16.840.1.101.3.4.4.3, id-alg-ml-kem-1024, ML-KEM-1024, MLKEM1024 } @ default X25519MLKEM768 @ default X448MLKEM1024 @ default SecP256r1MLKEM768 @ default SecP384r1MLKEM1024 @ default
$ postconf -d | grep mail_version
mail_version = 3.10.4
$ ldd /usr/lib/postfix/sbin/smtpd | grep ssl
libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007f3881066000)
Everything seems to be present on the server! So why does it not work? Perhaps Postfix is not offering those curves by default. Let’s check:
$ postconf -n | grep tls_eecdh_auto_curves
X25519 X448 prime256v1 secp384r1 secp521r1
$ postconf -n | grep smtpd_tls_eecdh_grade
smtpd_tls_eecdh_grade = auto
Well, there we go! The post-quantum curves are not available by default!
Via the Archlinux wiki, I quicly got to the Postfix documentation. Have a look, it’s not much text at all.
I ended up with the following configuration changes:
$ cat /etc/postfix/main.cf
...
# Enable post-quantum cryptography from OpenSSL 3.5
tls_eecdh_auto_curves =
tls_ffdhe_auto_groups =
tls_config_file = ${config_directory}/openssl.conf
tls_config_name = postfix
...
And then the config file:
$ cat /etc/postfix/openssl.conf
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
Groups = *X25519MLKEM768:*X448MLKEM1024 / *X25519:*X448 / P-256:P-384:P-521:ffdhe2048:ffdhe3072
Reload Postfix, and the above-mentioned test from Mr Dukhovni’s email should now yield a positive result.
$ (sleep 2; printf 'QUIT\r\n') |
openssl s_client -starttls smtp -connect your.server-fqdn.example:25 \
-groups "*X25519MLKEM768" -state -brief
Whether it’s a good idea to enable this or not is up to you. This was just an exploration into Post-Quantum keys for Postfix in Debian Trixie 13.