Hi A.Schulze, Want to take your attention to https://www.rfc-editor.org/rfc/rfc7919 and https://ssl-config.mozilla.org/ as it can change your view a bit on DH. This keys are publicly available f.e. https://ssl-config.mozilla.org/ffdhe4096.txt
About key size, if you go above 2048, you already break some old software so there no reason to stick to 3072, go with 4096... -- *Best Regards,* Dmitriy Alekseev DevOps Engineer On Sun, 21 Sept 2025, 11:59 A.Schulze via Postfix-users, < [email protected]> wrote: > Hello, > > German regulations (TR-02102-2 [1]) say, using 2048 bit Diffie-Hellman > parameters is "deprecated". > Not using DHE cipher suited is one option but that limit TLS communication > with some sites that will fallback to plaintext then. > So, I have to use 3072 bit or 4096 DH parameter. > > As 3072 seem cheaper, I generated my own parameter using the commands, > postfix docs [2] suggest: > > $ openssl dhparam -out /etc/postfix/dh3072.pem 3072 > $ postconf -e smtpd_tls_dh1024_param_file=/etc/postfix/dh3072.pem > > But now, https://internet.nl say, "Self-generated groups are > 'Insufficient'." > The site also refer to RFC 9719 providing "Negotiated Finite Field > Diffie-Hellman Ephemeral Parameters for TLS" [3] > Unfortunately, this document do not provide data in a simply usable PEM > format. > > I would not discuss, why "Self-generated groups are 'Insufficient'" > but where could I find RFC 9719 compatible data in PEM format? > > Andreas > > [1] > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html > [2] https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file > [3] https://datatracker.ietf.org/doc/html/rfc7919 > > > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
