On Thu, May 19, 2011 at 07:58:55PM +0000, Kevin Chadwick wrote: > On Thu, 19 May 2011 01:06:49 +0100 > Mikolaj Kucharski wrote: > > > On Thu, May 19, 2011 at 12:42:57AM +0200, Gilles Chehade wrote: > > > smtpd is just telling you that you did not generate Diffie-Hellman > > > parameters [see smtpd.conf(5) / starttls(8)], and that it will use > > > its own builtin parameters. > > > > > > It is safe to ignore the message, but it is safer to actually take > > > the time to generate your very own parameters. We don't do it when > > > booting or starting smtpd for the first time because it can take a > > > very looooooooooong time :-) > > Interestingly on the same unloaded system, sometimes it takes absolutely > ages and sometimes it takes seconds. > > > > > Okay, but how big (long) DH parameters file I should generate? Is this > > something simple as: > > > > openssl dhparam -outform PEM -out dh.pem <size> > > > > I didn't really get that after reading smtpd.conf(5) and starttls(8). > > > > I do 1024 and regenerate it every so often (early morning, once a week > or twice a year, depending on usage/preference)
Does length of DH parameters matter for different sizes or types of private key? If I'm using 4096-bit RSA key, do I need to use 4096-bit size DH parameters file? Do they need to match? Is it okay to have DH smaller or even bigger? I'm happy to read about it more, but openssl(1) man page wasn't too helpful for me (unless I've missed something). -- best regards q#
