nanotek: > Still, might be a good time to create my own CA and upgrade to 4096 bit > keys/certificates using SHA512 algorithms and make use of some > Diffie-Hellman ephemeral elliptic curve parameters for perfect forward > secrecy. I've read http://www.postfix.org/TLS_README.html -- Postfix > documentation is exceptional by the way -- are there any guides for DHE?
There is a work-in-progress document on forward secrecy that covers both EDH and EECDH. It shows how to configure things (the defaults should be sufficient for many applications) and what you can expect to see in logging and message headers. http://www.postfix.org/FORWARD_SECRECY_README.html I am still fixing it for clarity, but it should be accurate. Feedback is welcome. Wietse