On 2015/08/13 17:20, Todd C. Miller wrote: > Some mail servers (notably gmail) have stoppped supporting TLS using > DSA keys. I've adapted the bits in smtpd.conf(5) to fit.
Generally looks good but one thing I'm wondering about. > +.Dl # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096 > +.Pp > +This would generate a 4096-bit Is 4096-bit overkill? When we updated ssl(8) we settled on 2048-bit though that's more aimed at https where response time is more important. Related to this: smtpd(8) has compiled-in 1024-bit DH parameters. This probably wants at least bumping to 2048 though I wonder if it might be better to remove the compiled-in value completely and require it to be read from a file instead. Would it make sense to have a common "system" dh params file, in a similar vein to ssh's /etc/moduli? (Actually, could we just *use* /etc/moduli?)
