Tom Hendrikx:
> Setting the files (and refreshing them using a cronjob) specified by
> 'smtpd_tls_mumble_param_file' is a bit unclear though. The default for
> these params is empty, and setting them does not really show a
> different behavior in postfix (i.e. using different ciphers and keys)
> as far as visible from the logged information.
>
> But since forward secrecy is supported by default, what does it help
> to specify these params, and re-generate them once in a while? I've no
Note: greater security against "pre-computation" attacks against
EDH can be obtained by periodically regenerating the EDH
parameters as above (an hourly or daily cron job running as
root can automate this task). The parameter files are not secret,
after all these are sent to all SMTP clients in the clear. Mode
0644 is fine.
However, this comment is (still) in the wrong place. It should
precede the commands that compute the parameters and that set
smtpd_tls_mumble_param_file stuff.
Wietse
