On Sun, Sep 21, 2025 at 11:59:09AM +0200, A.Schulze via Postfix-users wrote:
> German regulations (TR-02102-2 [1]) say, using 2048 bit Diffie-Hellman
> parameters is "deprecated". Not using DHE cipher suited is one option
> but that limit TLS communication with some sites that will fallback to
> plaintext then. So, I have to use 3072 bit or 4096 DH parameter.
I gather you're obligated to comply? If you're not, and the traffic in
question is not state-secrets that need to stay safe for decades, you
can safely ignore this.
> As 3072 seem cheaper, I generated my own parameter using the commands,
> postfix docs [2] suggest:
That's not the best path forward, as much as possible you should stick
with FFDHE group autonegotiation. In particular, with TLS 1.3, your
generated group is never used, instead FFDHE is restricted to the
negotiated RFC7919 groups:
# OpenSSL 3.5 or later CLI feature:
$ openssl list -tls1_3 -tls-groups | tr ':' '\n' | grep ffdhe
ffdhe2048
ffdhe3072
ffdhe4096
ffdhe6144
ffdhe8192
The relevant Postfix parameters are:
$ postconf -d | grep -E 'dhe?_[ag]'
smtpd_tls_eecdh_grade = auto
tls_eecdh_auto_curves = X25519 X448 prime256v1 secp384r1 secp521r1
tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
If you want to prefer ffdhe3072, put it first:
tls_ffdhe_auto_groups = ffdhe3072 ffdhe2048
If you must, then drop ffdhe2048. If your OpenSSL is 3.5 or later,
and you want to support hybrid PQC key exchange, then, follow
(slightly modified to not omit the FFDHE groups):
https://www.postfix.org/postconf.5.html#tls_config_file
...
Example: Custom OpenSSL group settings.
main.cf:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
openssl.cnf:
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups =
X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384 / ffdhe3072 /
ffdhe4096
Caution: It is typically best to just use the default OpenSSL group
settings, by setting "tls_config_file = none". Overly strict
system-wide TLS settings will conflict with Postfix's opportunistic
TLS, where being less restrictive is better than downgrading to
cleartext SMTP.
This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and
3.5.20.
All the above applies to TLS 1.3. If you want to use the FFDHE 3072
group with TLS 1.2, IIRC those FFDHE groups are not strictly covered by
the TLS 1.2 supported curves extension, and OpenSSL does not currently
overload client signalling of TLS 1.3 FFDHE groups in in TLS 1.2. As a
result the "auto" choice of FFDHE group is based on the the rest of the
handshake parameters. For example:
$ openssl s_client -starttls smtp -tls1_2 -brief
-cipher kDHE -groups ffdhe3072:ffdhe2048 -connect localhost:25
Connecting to ::1
Can't use SSL_get_servername
depth=1 C=US, O=Let's Encrypt, CN=R12
verify error:num=20:unable to get local issuer certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: DHE-RSA-AES256-GCM-SHA384
Peer certificate: CN=chardros.imrryr.org
Hash used: SHA256
Signature type: rsa_pss_rsae_sha256
Verification error: unable to get local issuer certificate
Peer Temp Key: DH, 2048 bits
250 CHUNKING
the above TLS 1.2 connection selected a 2048 bit group, because
the rest of the handshake was not substantively stronger:
https://github.com/openssl/openssl/blob/da9fd71ab65074fe908c51bf1b971ce9e88545e9/ssl/t1_lib.c#L4309-L4337
with "dh_secbits" typically chosen to match the security bits of the private
key:
https://github.com/openssl/openssl/blob/da9fd71ab65074fe908c51bf1b971ce9e88545e9/ssl/t1_lib.c#L4318
and the FFDHE groups are those of rfc3526 not rfc7919. I vaguely recall
some discussion around modernising the logic to prefer the 7919 groups
and perhaps use the supported groups signal, if FFDHE groups are
listed. But nothing has changed just yet it seems.
> $ openssl dhparam -out /etc/postfix/dh3072.pem 3072
> $ postconf -e smtpd_tls_dh1024_param_file=/etc/postfix/dh3072.pem
You could do that, but this does not quite get you the group they/you
really want, you want the actual prime used in the RFC. For that, with
OpenSSL 3.x, you'd instead use:
$ openssl genpkey -genparam -algorithm dh -pkeyopt group:ffdhe3072
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
N///////////AgEC
-----END DH PARAMETERS-----
This does not get you the optimised performance of using a 275-bit
private exponent, but you can probably afford the overhead.
https://datatracker.ietf.org/doc/html/rfc7919#section-5.2
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
