On Fri, Aug 07, 2015 at 10:24:34AM +0200, Luigi Rosa wrote:
> >Recent updates to the supported Postfix releases have updated the
> >default settings of the OpenSSL ciphers used for opportunistic TLS
> >from "export" to "medium.
>
> Viktor,
> thank you so much for this mini-howto.
>
> As an added security I rotate DH parameters every night, this should enforce
> better forward secrecy, am I correct?
Yes, especially for 512-bit parameters (if EXPORT is still enabled).
Nightly is likely substantially more often than necessary for
1024-bit parameters, but they're cheap enough to generate.
I think many cryptographers would be surprised if 2048-bit prime
EDH groups were already today vulnerable to practical pre-computation
attacks, but there's no harm in rotating these also.
--
Viktor.