Since dovecot, postfix, nginx and openssl all support dual-stack ECDSA and RSA certificates for quite some time, I would love to see mailcow also generating ECC certificates.

ECC certificates use shorter keys and require less computing power providing the same security as RSA. Because RSA certificates can be served as well, there should be no compatibility issues.

Acme-tiny seems to be capable of handling that, so the renewal script would have to be extended and dovecot's, postfix' and nginx' config files slightly changed.

I would like to support mailcow by creating a pull request for that, if you are interested. :-)

There is only one question that comes into my mind, which is still open:

• Since some users are probably using their own certificates instead of letsencrypt ones, ECDSA certificates should be optional and there must be the possibility to disable this functionality.
• Enabling / Disabling the feature requires the config files to be rewritten / adjusted.
• For dovecot and nginx that seems to be quite easy, as there already exists some logic that replaces env variables on start up. The necessary tls config lines could be placed into a separate file that gets included into the main config.
• But postfix doesn't have such an import mechanism as far as I can see and editing the main.cf seems like a bad idea to me. Is there another solution for that?

What do you think of the idea? :-)