Am 07.09.2013 16:43, schrieb Viktor Dukhovni:
> On Sat, Sep 07, 2013 at 08:30:47AM +0200, Robert Schetterer wrote:
>
>> # openssl dhparam -out dh2048.pem 2048
>> # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
>> ...
>>
>> I had some report from one customer with netscape 7 ( very old mail
>> client ) that he cant connect anymore via port 465 by ssl failures
>> which i can see in the logs too
>>
>> does this sound plausible?
>
> Definitely. Ancient software may not be able to handle 2048-bit EDH.
> Fortunately, as Wietse points out, there is a simple work-around,
> deploy a different dhparam file on ports 465 and 587.
>
> # openssl dhparam -out dh1024.pem 1024
> # postconf -e 'submission_tls_dh1024_param_file =
> ${config_directory}/dh1024.pem'
>
> Then in master.cf:
>
> 465 inet n ... smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
> ...
> 587 inet n ... smtpd
> -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file
> ...
>
i thought that way too,
and did it that way before reading this post, so i am waiting now for
backreport from the user
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
