Re: smtpd and no DH parameters found in
On Sun, May 22, 2011 at 11:59:32PM +, Kevin Chadwick wrote: On Sun, 22 May 2011 23:12:21 +0100 Mikolaj Kucharski wrote: If I'm using 4096-bit RSA key, do I need to use 4096-bit size DH parameters file? No Do they need to match? No Is it okay to have DH smaller or even bigger? Yes, some programs like dovecot manage it automatically so maybe? there's more info in the source code. Do you mean more info in dovecot sources? PS. I have delivery disabled for misc@, please keep me in CC. -- best regards q#
Re: smtpd and no DH parameters found in
On Thu, May 19, 2011 at 07:58:55PM +, Kevin Chadwick wrote: On Thu, 19 May 2011 01:06:49 +0100 Mikolaj Kucharski wrote: On Thu, May 19, 2011 at 12:42:57AM +0200, Gilles Chehade wrote: smtpd is just telling you that you did not generate Diffie-Hellman parameters [see smtpd.conf(5) / starttls(8)], and that it will use its own builtin parameters. It is safe to ignore the message, but it is safer to actually take the time to generate your very own parameters. We don't do it when booting or starting smtpd for the first time because it can take a very looong time :-) Interestingly on the same unloaded system, sometimes it takes absolutely ages and sometimes it takes seconds. Okay, but how big (long) DH parameters file I should generate? Is this something simple as: openssl dhparam -outform PEM -out dh.pem size I didn't really get that after reading smtpd.conf(5) and starttls(8). I do 1024 and regenerate it every so often (early morning, once a week or twice a year, depending on usage/preference) Does length of DH parameters matter for different sizes or types of private key? If I'm using 4096-bit RSA key, do I need to use 4096-bit size DH parameters file? Do they need to match? Is it okay to have DH smaller or even bigger? I'm happy to read about it more, but openssl(1) man page wasn't too helpful for me (unless I've missed something). -- best regards q#
Re: smtpd and no DH parameters found in
On Sun, 22 May 2011 23:12:21 +0100 Mikolaj Kucharski wrote: If I'm using 4096-bit RSA key, do I need to use 4096-bit size DH parameters file? No Do they need to match? No Is it okay to have DH smaller or even bigger? Yes, some programs like dovecot manage it automatically so maybe? there's more info in the source code.
Re: smtpd and no DH parameters found in
On Thu, 19 May 2011 01:06:49 +0100 Mikolaj Kucharski wrote: On Thu, May 19, 2011 at 12:42:57AM +0200, Gilles Chehade wrote: smtpd is just telling you that you did not generate Diffie-Hellman parameters [see smtpd.conf(5) / starttls(8)], and that it will use its own builtin parameters. It is safe to ignore the message, but it is safer to actually take the time to generate your very own parameters. We don't do it when booting or starting smtpd for the first time because it can take a very looong time :-) Interestingly on the same unloaded system, sometimes it takes absolutely ages and sometimes it takes seconds. Okay, but how big (long) DH parameters file I should generate? Is this something simple as: openssl dhparam -outform PEM -out dh.pem size I didn't really get that after reading smtpd.conf(5) and starttls(8). -- best regards q# I do 1024 and regenerate it every so often (early morning, once a week or twice a year, depending on usage/preference)
Re: smtpd and no DH parameters found in
On Wed, May 18, 2011 at 11:27:14PM +0100, Mikolaj Kucharski wrote: Hi, I have smtpd(8) setup on one of my machines with TLS enabled. Each time I start /usr/sbin/smtpd (as root) I'm getting following message: no DH parameters found in /etc/mail/certs/re0.dh using built-in DH parameters Do you know maybe why I see this? I'm getting this for last few snapshots (IIRC). Didn't report it as though that was something temporary which you guys are aware of and will fix soon. Hi Mikolaj, I CC-ed misc@ as I received this question quite a few times in the last couple days. The message you're seeing is not an error and I will try to find a way to make it more clear. smtpd is just telling you that you did not generate Diffie-Hellman parameters [see smtpd.conf(5) / starttls(8)], and that it will use its own builtin parameters. It is safe to ignore the message, but it is safer to actually take the time to generate your very own parameters. We don't do it when booting or starting smtpd for the first time because it can take a very looong time :-) Gilles -- Gilles Chehade http://www.poolp.org
Re: smtpd and no DH parameters found in
On Thu, May 19, 2011 at 12:42:57AM +0200, Gilles Chehade wrote: smtpd is just telling you that you did not generate Diffie-Hellman parameters [see smtpd.conf(5) / starttls(8)], and that it will use its own builtin parameters. It is safe to ignore the message, but it is safer to actually take the time to generate your very own parameters. We don't do it when booting or starting smtpd for the first time because it can take a very looong time :-) Okay, but how big (long) DH parameters file I should generate? Is this something simple as: openssl dhparam -outform PEM -out dh.pem size I didn't really get that after reading smtpd.conf(5) and starttls(8). -- best regards q#