> On Jun 14, 2022, at 5:30 PM, P V Anthony <anth...@mindmedia.com.sg> wrote: > > On 15/6/2022 2:43 am, Viktor Dukhovni wrote: > >> The simplest configuration is therefore to just leave the parameter >> unset, the default value will be sensible. > > I have just commented out smtpd_tls_dh1024_param_file > > I have made so much of mistakes trying to increase security.
It doesn't help when sites like https://cipherlist.eu <https://cipherlist.eu/> keep giving you settings to randomly drop in to your main.cf and people do it. I've certainly been guilty of this as well. Now, it also doesn't help that apache ships with insanely liberal defaults that are vulnerable to lots of downgrade attacks, and people feel the need to apply the same "tweak every knob" methodology to their other daemons. It also doesn't help that there are companies out there running SSL scans on everything on your network, and then selling it to the people who would offer you insurance, like some kind of credit reports, so people feel the need to tweak all the knobs obsessively. (Dayjob got hit for this, on a hosted system that we didn't even control) Postfix has sane defaults as long as you run a fairly recent version, and the developers have clue. Not all apps have sane defaults (for example, I could see the need to configure default SSL configs with Sendmail). -Dan
