Thank you very much! As Bernd Wurst commented I also needed to have the entire PEM file + the contents of the dhparams file I had generated in one file for it to work as TLS_DHCERTFILE, otherwise it won't work with the error message "error:0906D06C:PEM routines:PEM_read_bio:no start line_".
I would like to add however that in addition so setting this option in esmpd-ssl you also need to set the same option in esmtpd! Otherwise you will have the DHE ciphers on SMTP-over-SSL port 465, but NOT with STARTTLS on port 25 ! Thanks again, Gerald PS: It's really great to have a lot of knobs. But most users will never notice all the knobs, therefore - if possible - security settings should provide the best security by default. [ at least from the perspective of a non-US-citizen, your opinion on this may vary if you belong to the country who does the spying instead of living in the country being spied on :-) ] On 21.08.2013 03:09, Sam Varshavchik wrote: > Sam Varshavchik writes: > >> Gerald Hopf writes: >> >>> default. If even the official courier-mta.org MX server doesn't have >>> this correctly enabled, I somehow doubt anyone else does... And somehow >>> dovecot/postfix seem to manage to have this as default without >>> generation special DH parameter files ? >> >> It's two opposite philosophies. You can either try to do everything >> automatically and by default. But, if the default rules don't work >> for someone, there's little they can do. >> >> Or, provide a knob for every setting, putting you in charge and full >> control of everything. You have more work to do, but you have more >> flexibility. >> >> I don't know offhand why you cannot get the ciphers you want. All the >> moving pieces should be in place. The DH parameters should get >> loaded, if they exist. I'll try to do some tinkering later, myself. > > Ok, here's exactly what I mean. In your esmtpd-ssl, imapd-ssl, or > pop3-ssl configuration file, set the TLS_DHCERTFILE setting to the > file that has your DH parameters, in PEM format. It can be the same > file as the TLS_CERTFILE. > > Results: > > Version: TLSv1/SSLv3 > Bits: 256 > Cipher: DHE-RSA-AES256-SHA > ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users