On Sat, Oct 01, 2022 at 07:53:08PM -0600, Shawn Heisey wrote:
> Each time I renew my certificate, I generate a new 4096 bit dhparam
> value and append it to the certificate file that I use with all my
> TLS-capable software. The pem-formatted certificate file contains 4
> things: The server cert, the letsencrypt issuing cert, the private key,
> and that newly generated dhparam. Because of the private key, I set
> 0600 permissions on the file.
>
> When there is a dhparam in the certificate file, does postfix use it? I
> believe that haproxy does, which is where I got the idea to include a
> custom dhparam with every certificate.
This practice is largely obsolete, and a 4096-bit DHE prime is silly.
With recent Postfix versions DHE parameters are automatically
negotiated from a set of standard safe parameter sets negotiated with
the client.
https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
--
Viktor.
