Hello, German regulations (TR-02102-2 [1]) say, using 2048 bit Diffie-Hellman parameters is "deprecated". Not using DHE cipher suited is one option but that limit TLS communication with some sites that will fallback to plaintext then. So, I have to use 3072 bit or 4096 DH parameter.
As 3072 seem cheaper, I generated my own parameter using the commands, postfix docs [2] suggest: $ openssl dhparam -out /etc/postfix/dh3072.pem 3072 $ postconf -e smtpd_tls_dh1024_param_file=/etc/postfix/dh3072.pem But now, https://internet.nl say, "Self-generated groups are 'Insufficient'." The site also refer to RFC 9719 providing "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS" [3] Unfortunately, this document do not provide data in a simply usable PEM format. I would not discuss, why "Self-generated groups are 'Insufficient'" but where could I find RFC 9719 compatible data in PEM format? Andreas [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html [2] https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file [3] https://datatracker.ietf.org/doc/html/rfc7919 _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
