"smtpd_tls_eecdh_grade (default: see "postconf -d" output)
<snip>
This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 1.0.0 or later." [0]
I'm using Postfix 2.7.1. "aptitude show postfix" shows libssl0.9.8 in
dependencies.
"postconf -d" lists this option. Does it mean that it's supported?
--
I read some articles about Diffie-Hellman Key Exchange. What I don't
understand is the connection between theory and its practical
implementation.
For example, this article [1] says that it's necessary to have a
key pair on a client machine. But this one [2] doesn't say anything
regarding clients. Is it necessary to configure clients? Will it be
handled automatically (by OpenSSL)?
Will smtpd.pem be used to certify public keys or authorize a server? Will
it be
used to encrypt a shared secret? What key will be used to decrypt the
shared secret (on the client)?
What is the purpose of DH parameters? What are export and non-export
ciphers? [2]
[0] http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
[1]
http://www.packetsource.com/article/encryption/40070/diffie-hellman-key-exchange-a-non-mathematicians-explanation
[2] http://www.postfix.org/TLS_README.html#server_cipher
