-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 23-12-13 15:40, Wietse Venema wrote: > nanotek: >> Still, might be a good time to create my own CA and upgrade to >> 4096 bit keys/certificates using SHA512 algorithms and make use >> of some Diffie-Hellman ephemeral elliptic curve parameters for >> perfect forward secrecy. I've read >> http://www.postfix.org/TLS_README.html -- Postfix documentation >> is exceptional by the way -- are there any guides for DHE? > > There is a work-in-progress document on forward secrecy that > covers both EDH and EECDH. It shows how to configure things (the > defaults should be sufficient for many applications) and what you > can expect to see in logging and message headers. > > http://www.postfix.org/FORWARD_SECRECY_README.html > > I am still fixing it for clarity, but it should be accurate. > Feedback is welcome. >
After reading, I'm having some questions. The document states that forward secrecy is supported by default on recent postfix installs. However, the quick-start still has some settings that apparently need tweaking. Setting 'smtpd_tls_eecdh_grade = strong' is already available as default (tested with postfix 2.10), so no actual work here. Setting the files (and refreshing them using a cronjob) specified by 'smtpd_tls_mumble_param_file' is a bit unclear though. The default for these params is empty, and setting them does not really show a different behavior in postfix (i.e. using different ciphers and keys) as far as visible from the logged information. But since forward secrecy is supported by default, what does it help to specify these params, and re-generate them once in a while? I've no deep ssl knowledge, but the smtpd_tls_dh1024_param_file postconf documentation seems to indicate that openssl distributes some kind of defaults for these contents? Maybe it's a nice idea to make the forward secrecy and/or postconf documentation a bit verbose on how this works, and what benefits manual generation of these params has? Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSuGmkAAoJEJPfMZ19VO/1FbIP/jKzjUXPTGQLigTS5gZZzJA+ cEOuokXnYsUxcsce/kLfYvY0nPMI+YsByAPtcde8aNQ0efGJGI/sol4cfeJ2aXj0 ZGp3yUVN0RY+vcAdCvfL5Exa5nVM4UxMHfYuwJElZcid0ZpS/46D32EBZStq39n7 WbdPOqM2L3ey1PtsJZ4U9V0LSSz0uDfLTQRxtpK2nQJloPZHHShlWRZLsW3Sny4H UdUdMijR8tpItOeLedaxmCeoBRyNEYxO++J+PRVp4feeeUVUicyU4CwUkx/wbS13 mE5EUttUmOU5GYF34B+9z+HdpyecnZjlr1s51Sfb5pKwSid6PxIeuNS6IvsgvSDQ N0fP0wMNcTpgyDM196TctZc9OMtjhsUntXk90EnS34fOfEomjduXBHVGabZ+FARw /pmJWeGNPdi7WtZJ/Ptr8ZgzdiIfZhqEkJWL5nhdCPzZGBX/2aI1ZRk236guhRkv HOi6sRzrWw/iDdbfjbb31XqV4fsXCBUQ07SnVorCGcckt8PA5+KG6o/LRynhVK6r RdlDs7iKGjQtHN2/SgKvgrenSxUYXyuHaN6hH+yihKZJ4JwHVTcDOarfUBTTJpi1 lr/AWQcKDHau5QtVr6s/YlzcRyv50ejgecViIfNcuwYjZoVgAVrGCfT7NJhcRA5H 2lxFvOTrFKxlvFlBg3Mx =QrH8 -----END PGP SIGNATURE-----