Hi On Tue, Jul 11, 2023 at 05:47:12PM +0200, Paul Menzel via mailop wrote: > Testing the mail setup, I was surprised to have the key exchange parameters > flagged [1]: > > a1241.mx.srv.dfn.de. DH-2048 insufficient
This test is for web or e-mail? MX or MSA? Given that this host only reacts on port 25 but not on port 587, I assume this is MX. > Mozilla’s SSL Configuration Generator also suggests for *Intermediate* and > *Old* [3]: > # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam > # not actually 1024 bits, this applies to all DHE >= 1024 bits > smtpd_tls_dh1024_param_file = /path/to/dhparam This generator is for web and other authenticated use. You are talking about MX, which is unauthenticated in the absence of DANE. For unauthenticated MX use you want to allow as much encrypted communication as possible. So don't disable TLS 1.0 or weak ciphers, clients will otherwise just downgrade to plaintext and make it worse. So if you are not ready to also cut off plaintext connections overall, don't touch it too much. Clients will often restrict itself to more modern settings anyway. > Have most of you moved to ECDHE? If not, are you using the predefined finite > field groups specified in RFC 7919 [5]? Every current system supports ECDHE, so sure. The original DH is dead, because it's just too slow. Bastian -- I have never understood the female capacity to avoid a direct answer to any question. -- Spock, "This Side of Paradise", stardate 3417.3 _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
