On Sun, Nov 17, 2013 at 11:36:34PM +0100, Fedor Brunner wrote:
> Please increase the size of Diffie-Hellman parameters in
> http://www.postfix.org/TLS_README.html
> You recommend 1024 bit DH parameters, but for long term protection,
> these parameters are too short.
Postfix prime-DH support is constrained by the limitations of the
TLS protocol (which does not negotiate prime-DH bit length).
Further limits are imposed by the fact that various SMTP client
implementation (mostly seen in submission MUAs) don't support bit
lengths over 1024, and will fail to connect to servers with larger
DH primes.
On the other hand, some Exim MTA SMTP clients (patched by a
well-meaning, but under-informed Debian maintainer) don't support
DH primes shorter than 2048 bits. While Debian have since corrected
the erroneous Exim client-side DH prime lower-bound, not all the
users of the non-interoperable Exim have deployed updates that
resolve the issue.
Keep in mind that today (with almost zero installed base for DANE)
almost all MTA to MTA SMTP traffic is unencrypted, and even the
10-20% of traffic that does use TLS is opportunistic. Setting DH
parameters to comply with strict limits can be counter-productive,
as after TLS session setup fails, MTAs will generally fallback to
plaintext.
This said, it has been found that MTAs that are TLS capable,
generally support 2048-bit DH primes. Thus it is possible
to configure Postfix as follows:
Once as root:
# cd /etc/postfix
# openssl dhparam -out dh2048.pem 2048
# openssl dhparam -out dh1024.pem 1024
# openssl dhparam -out dh512.pem 512
main.cf:
# MTAs are generally able to support 2048-bit EDH as clients.
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
with master.cf overrides:
-o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem
for any submission services that need to support clients (phones,
ipads, ...) that may not be able to do 2048-bit EDH.
The above works at sites where subission is on port 587 only, and
port 25 is only for MTA to MTA traffic.
If you are sufficiently motivated, a patch for proto/TLS_README.html
that explans the above would be appreciated.
--
Viktor.
