On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and among
> other things sslscan reported that the server allows a (non-EC) DH exchange
> with only 1024 bits. While one solution would be to only allow ECDH(E) and
> disable DH(E) entirely, I would rather like to keep support for DH(E) for
> compatibility reasons but only enforce a lower limit on the size of the
> finite group (maybe 2048 bit, or even 3072 bits preferably). How do I do that
> with Postfix? I cannot find any smptd_tls_... setting which seems related to
> that aspect.
You are assessing mandatory TLS? Then disable non-ECDHE.
You are assessing opertunistic TLS? Ignore it.
Bastian
--
It would be illogical to kill without reason.
-- Spock, "Journey to Babel", stardate 3842.4
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
