On Mon, Dec 09, 2024 at 10:00:41PM +0100, Gerd Hoerst via Postfix-users wrote:
> Do you have a good page for checking this (including DKIM/DANE/SPF )
Checking what exactly? For checking DANE:
- https://dane.sys4.de/
- https://www.huque.com/bin/danecheck-smtp
- https://stats.dnssec-tools.org/explore
The last of these is the DANE survey, which does not do any "live"
tests, insteading connecting to each "known" DANE-SMTP domain (~4.2
million total) once a day (between ~16:00–21:00 UTC), performing
a DANE validation on each IP address of each MX host (de-duplicated
across domains sharing "the same" MX host).
So if you domain is not a well hidden secret, and is directly delegated
from a public suffix, rather being an internal division, then the survey
has already checked your DANE configuration recently.
> BTW: you said its ok... but im still confused at the point where i
> defincd the dh4096 but the page only saw dh2048
Any explicit DH key you generate is only applicable with TLS 1.2, with
TLS 1.3 explicit DH keys are not supported, and it is only possible to
negotiate specific standardised DH groups.
With TLS 1.3, Postfix defaults to advertising support for ffdhe2048 and
ffdhe3072. Both are just fine until the hypothetical day that a
"cryptographically relevant quantum computer" (CRQC) shows up. At
that point neither remain secure. I see no point in stressing about
ffdhe2048.
https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups
$ postconf -d tls_ffdhe_auto_groups
tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
