Hanno Böck writes:

On Fri, 19 Sep 2014 18:50:51 -0400
Sam Varshavchik <mr...@courier-mta.com> wrote:

> The certificate file is getting rejected by the OpenSSL library.
> That's where this error is coming from.

I now found out what is wrong. It seems courier now needs dh params
either in the pem file or separately via TLS_DHPARAMS. We didn't have
them in our config yet.

However, while looking at this I found something worrying:
It seems the mkdhparams script defaults to 768 bit and the mkesmtpd
script defaults to 512 bit DH params. That's completely and utterly
insecure.

I'm going to drop the bit that generates DH params in the cert file, that's no longer needed. That used to be the case, until the DH parameters were moved to a separate file; and right now the separate file gets checked first; the code that tries the cert as a fallback is only there in case someone has an old config, and doesn't bother to refresh the cert file.

It's insecure in a way that this is practically breakable on a normal
home PC these days.

I'd strongly advise to raise these defaults to 2048, which is a
reasonable value these days.

Most SMTP servers use self-signed certs, and, consequently will not verify that a peer's cert is signed by a trusted CA. This certainly doesn't help things.

I just ran a test, and on a medium-powered server, it took 2 minutes to generate a 2048-bit parameter. That's not too bad, I suppose. A new install will have to generate that the first time the server gets started, and things will pretty much come to a halt, until that's done and over with. Will have to make that prominent, somewhere…

Attachment: pgpdeqhzi7ht6.pgp
Description: PGP signature

------------------------------------------------------------------------------
Slashdot TV.  Video for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to