On 08/19/2015 03:09 AM, L.P.H. van Belle wrote:
Hai,
Try it like this, there is no need for combining the certificates.
# TLS parameters
smtp_tls_cert_file = /etc/ssl/certs/certificate.cer
smtp_tls_key_file = /etc/ssl/private/certificate.key
smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer
smtpd_tls_key_file = /etc/ssl/private/certificate.key
Thank you, I think I got it figured out, will be testing shortly
## RootCA en Intermediate are put here.
smtpd_tls_CApath = /etc/ssl/certs
and dont forget to regenerate your dhparams.
like :
if [ -d /etc/ssl/private ]; then
mkdir -p /etc/ssl/private
chmod 710 /etc/ssl/private
fi
## Create unique DH Groups
openssl dhparam -out /etc/ssl/private/dhparams512.pem 512
openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024
openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048
openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096
*snip*
As far as DH groups - I put a script in /etc/cron.daily that regenerates
the 1024 and 2048 groups once a day.
I'm not sure 4096 adds any real world benefit, just eats CPU cycles.
I'm not using 512 as I built postfix against LibreSSL and it doesn't
support the export ciphers, and I don't think postfix 2.11.6 does either
anyway, at least if I understood the docs.
So I'm trying with just the 2048 for now, if that's an issue then I'll
follow the documentation on how to allow 1024 for some clients.
I'd like to eventually see the DHE ciphers go away in favor of ECDHE -
not sure how soon that will happen.
I will be configuring postfix to only support ECDHE and DHE ciphers
initially, well after I get TLS working on this server that is what I
will try next. But I think DHE is only really needed for a few older
clients at this point?
