On Mon, Mar 25, 2024 at 09:24:23AM +0100, Alexander Leidinger wrote:
> thought-chain could be:
> IF there is no MITM, and IF the session is encrypted, then at least use good
> encrpytion so that an attacker which is only able to listen, is not able to
> get the content.
But, in that case, the
Am 2024-03-23 17:17, schrieb Viktor Dukhovni via Postfix-users:
PS: As of January 2024, the German BSI has tighten its recommendation
for asymmetric algorithms over finite fields to at least 3000 bits
(i.e. RSA encryption, RSA signatures and FFDH).
With little thought about the opportunistic
Am 2024-03-23 15:58, schrieb Matthias Nagel via Postfix-users:
I wonder whether setting `smtpd_tls_dh1024_param_file` to a custom
2048-bit DH group would help? But from my understanding of the docs
that should not be necessary as Postfix 3.8.5 uses a built-in 2048bit
group if left empty.
On Sat, Mar 23, 2024 at 03:58:15PM +0100, Matthias Nagel via Postfix-users
wrote:
> So the question still stand, how do I ensure that Postfix uses at
> least 2048bit DH, if TLS 1.2 and FFDH have been negotiated?
As an SMTP server, Postfix uses a 2048-bit build-in group, or else
whatever group
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and
> among other things sslscan reported that the server allows a (non-EC)
> DH exchange with only 1024 bits.
The Postfix SMTP server uses
I am running Postfix mail-mta/postfix-3.8.5 with dev-libs/openssl-3.0.13. If I
correctly understood my Postifx server should not use a FF group with 1024
bits, but at least 2024 bits. (References to the docs are given below.)
So the question still stand, how do I ensure that Postfix uses at
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and among
> other things sslscan reported that the server allows a (non-EC) DH exchange
> with only 1024 bits. While one solution would be to