Am 2024-03-23 15:58, schrieb Matthias Nagel via Postfix-users:
I wonder whether setting `smtpd_tls_dh1024_param_file` to a custom 2048-bit DH group would help? But from my understanding of the docs that should not be necessary as Postfix 3.8.5 uses a built-in 2048bit group if left empty.
Postfix doesn't complain if you configure it this way (I tried). I don't know if it does what you want to do (I have a custom cipher spec I allow).
You could install a test-instance and test with nmap:- "nmap -p <port> --script ssl-enum-ciphers <hostname>", pay attention to the part "(dh ...)" in the output
Do a scan before and after the smtpd_tls_dh1024_param_file change.
PS: As of January 2024, the German BSI has tighten its recommendation for asymmetric algorithms over finite fields to at least 3000 bits (i.e. RSA encryption, RSA signatures and FFDH).
If this is as a result of an audit, or in preparation of an audit: have a look if it helps to talk with the auditors. Sometimes they are open to arguments (cleartext is allowed, dh 1024 is better than cleartext). If they only look at checkboxes to tick, see the part above or disabling the parts as you suggested (you could increase the smtpd_tls_loglevel to 1 and check over a suitable amount of time if someone is using those ciphers you want to disable before you actually disable them).
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
