Tom Hendrikx:
> Setting the files (and refreshing them using a cronjob) specified by
> 'smtpd_tls_mumble_param_file' is a bit unclear though. The default for
> these params is empty, and setting them does not really show a
> different behavior in postfix (i.e. using different ciphers and keys)
> as far as visible from the logged information.
> 
> But since forward secrecy is supported by default, what does it help
> to specify these params, and re-generate them once in a while? I've no

    Note: greater security against "pre-computation" attacks against
    EDH can be obtained by periodically regenerating the EDH
    parameters as above (an hourly or daily cron job running as
    root can automate this task). The parameter files are not secret,
    after all these are sent to all SMTP clients in the clear. Mode
    0644 is fine.

However, this comment is (still) in the wrong place. It should
precede the commands that compute the parameters and that set
smtpd_tls_mumble_param_file stuff.

        Wietse

Reply via email to