--- etc/cron.daily/exim4-base	2006-08-23 19:28:40.000000000 +0200
+++ /etc/cron.daily/exim4-base	2006-09-16 18:00:43.000000000 +0200
@@ -74,7 +74,7 @@
 # old file otherwise.
 CERTTOOLTIMEOUT=1800
 if [ -e $SPOOLDIR/gnutls-params ] ; then
-  if [ -x /usr/bin/certtool ] ; then
+  if [ -x /usr/bin/certtool -o -x /usr/bin/openssl ] ; then
     start-stop-daemon --start --exec /usr/share/exim4/exim4_refresh_gnutls-params \
       --chuid Debian-exim:Debian-exim -- ${CERTTOOLTIMEOUT}
   else
--- usr/share/exim4/exim4_refresh_gnutls-params	2006-03-13 07:54:55.000000000 +0100
+++ /usr/share/exim4/exim4_refresh_gnutls-params	2006-09-16 18:07:07.000000000 +0200
@@ -14,12 +14,18 @@
 cd $SPOOLDIR
 
 tempgnutls=$(tempfile -d $SPOOLDIR -p "gnutp" )
-if /usr/share/exim4/timeout.pl \
+if { /usr/share/exim4/timeout.pl \
+  "$1" /usr/bin/openssl genrsa 512 \
+  > "$tempgnutls" 2> /dev/null && \
+  /usr/share/exim4/timeout.pl \
+  "$1" /usr/bin/openssl gendh 1024 \
+  >> "$tempgnutls" 2> /dev/null ; } || { \
+  /usr/share/exim4/timeout.pl \
   "$1" /usr/bin/certtool --generate-privkey --bits 512 \
   > "$tempgnutls" 2> /dev/null && \
   /usr/share/exim4/timeout.pl \
   "$1" /usr/bin/certtool --generate-dh-params --bits 1024 \
-  >> "$tempgnutls" 2> /dev/null ; then
+  >> "$tempgnutls" 2> /dev/null ; } ; then
   if [ -e $SPOOLDIR/gnutls-params ] ; then
     chmod --reference=$SPOOLDIR/gnutls-params "$tempgnutls"
   fi
--- README.Debian.Orig	2006-09-17 17:12:50.000000000 +0200
+++ README.Debian	2006-09-17 17:16:19.000000000 +0200
@@ -587,6 +587,13 @@
    shipped in /usr/share/doc/exim4-base/examples/ and takes care of
    proper access privileges on the private key file.
 
+   After generating the certificates, make sure to generate the private
+   key and Diffie-Hellman parameters (gnutls-bin or openssl is required)
+   as used to initiate any TLS connection by running:
+
+     touch /var/spool/exim4/gnutls-params
+     /etc/cron.daily/exim4-base
+
    Now, enable TLS by setting the macro MAIN_TLS_ENABLE in a local
    configuration file (documented below).
 
@@ -612,18 +619,16 @@
    does not support varying its Diffie-Hellman parameters. Therefore
    tls_dhparam settings are ignored in Exim's configuration file, and no
    dhparam file is generated by exim-gencerts. GnuTLS uses RSA and D-H
-   parameters that are computed when they are needed. When someone sends
-   STARTTLS, exim will compute these parameters and then store these
-   parameters in a cache file located in Exim's spool directory
-   (/var/spool/exim4/gnutls-params).
+   parameters that are computed daily by the exim4-base cron job and
+   saved into /var/spool/exim4/gnutls-params.
 
-   The daily cron job removes this file, so Exim creates a new set of
-   gnutls parameters. It is "more secure" when you have this file
-   regenerated more often. You can delete it any time you wish without
-   any need for synchronization. Exim will regenerate it automatically.
-   But remember that the exim process that has to create the file could
-   take a little longer before it responds to a STARTTLS command. You
-   should not notice this on current computers.
+   Exim will also regenerate automatically this file when missing,
+   but note that, due to GnuTLS and poor handling on the Exim side,
+   server systems without hardware generators or without enough entropy 
+   will wait for key regeneration on STARTTLS which can take several
+   minutes, leading to a possible DoS condition. It is recommended to
+   regenerate the RSA and D-H parameters outside of Exim by using the
+   exim4-base daily cron job (gnutls-bin or openssl required).
 
    NOTE! The fact that GnuTLS does not support generated Diffie-Hellman
    parameters does NOT make it less secure.
@@ -647,9 +652,14 @@
    Exim context. If Exim says "not enough random bytes available", or
    simply hangs silently when an encrypted connection should be
    established, then Exim was unable to read enough random data from
-   /dev/random to do whatever cryptographic operation is requested.
-   Please check that your /dev/random device is setup properly.
+   /dev/random to do whatever cryptographic operation is requested
+   because the private key and D-H parameters were not already
+   available.
 
+   Make sure you generate your RSA key and D-H parameters outside of
+   Exim with the supplied exim4-base daily cron job before enabling
+   TLS (see Section 2.2.2).
+   
 2.3. SMTP-AUTH
 
 2.3.1. Using exim as SMTP-AUTH client