> On 22 Jul 2021, at 7:57 am, raf <[email protected]> wrote:
>
> The FORWARD_SECRECY_README suggests regenerating the
> Postfix SMTP server EDH parameters periodically.
> Would doing so necessitate a postfix reload?
No. The new parameters get picked up by new smtpd(8)
processes as old ones exit after handling $max_use
connections or bing idle at least $max_idle.
That said, the built-in default 2048-bit group should
be quite strong. If some state actor can crack that,
they should also be able to break 2048-bit RSA, which
is the key size of the WebPKI CAs and root DNSSEC keys.
So if you don't rotate the parameters, you're still fine.
Just generating your own group once is quite sufficient
unless you believe you have nation-state value secrets
to protect.
In practice security is compromised by going around the
crypto, rather than cracking the algorithms. Focus on
the basics, keeping your endpoints up to date, monitoring,
... Security is about operational discipline, the
cryptography gets all the press, but is almost never the
weak link.
--
Viktor.
