Tom Hendrikx: > Setting the files (and refreshing them using a cronjob) specified by > 'smtpd_tls_mumble_param_file' is a bit unclear though. The default for > these params is empty, and setting them does not really show a > different behavior in postfix (i.e. using different ciphers and keys) > as far as visible from the logged information. > > But since forward secrecy is supported by default, what does it help > to specify these params, and re-generate them once in a while? I've no
Note: greater security against "pre-computation" attacks against EDH can be obtained by periodically regenerating the EDH parameters as above (an hourly or daily cron job running as root can automate this task). The parameter files are not secret, after all these are sent to all SMTP clients in the clear. Mode 0644 is fine. However, this comment is (still) in the wrong place. It should precede the commands that compute the parameters and that set smtpd_tls_mumble_param_file stuff. Wietse