On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
> # openssl dhparam -out dh2048.pem 2048
> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
> ...
>
> I had some report from one customer with netscape 7 ( very old mail
> client ) that he cant connect anymore via port 465 by ssl failures
> which i can see in the logs too
>
> does this sound plausible?
Definitely. Ancient software may not be able to handle 2048-bit EDH.
Fortunately, as Wietse points out, there is a simple work-around,
deploy a different dhparam file on ports 465 and 587.
# openssl dhparam -out dh1024.pem 1024
# postconf -e 'submission_tls_dh1024_param_file =
${config_directory}/dh1024.pem'
Then in master.cf:
465 inet n ... smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
...
587 inet n ... smtpd
-o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
...
--
Viktor.
