Hi, Please increase the size of Diffie-Hellman parameters in http://www.postfix.org/TLS_README.html You recommend 1024 bit DH parameters, but for long term protection, these parameters are too short.
During ephemeral Diffie-Hellman (EDH) key exchange a temporary key is generated from DH parameters. This temporary key is used for encryption of the communication and the server public RSA key is used ONLY for signing of this temporary key and NOT for encryption of the communication. If you use DH parameters shorter than you RSA key, you are weakening your encryption. https://wiki.openssl.org/index.php/Diffie_Hellman https://wiki.openssl.org/index.php/Diffie-Hellman_parameters If you are interested in more technical information about key sizes I highly recommend: http://www.keylength.com/en/compare/ Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012. Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 3, NIST, 07/2012
signature.asc
Description: OpenPGP digital signature
