>-----Oorspronkelijk bericht----- >Van: al...@domblogger.net >[mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder >Verzonden: woensdag 19 augustus 2015 12:42 >Aan: postfix-users@postfix.org >Onderwerp: Re: TLS cert - bug in documentation or bug in my >understanding ?? > > > >On 08/19/2015 03:09 AM, L.P.H. van Belle wrote: >> Hai, >> >> Try it like this, there is no need for combining the certificates. >> >> >> # TLS parameters >> smtp_tls_cert_file = /etc/ssl/certs/certificate.cer >> smtp_tls_key_file = /etc/ssl/private/certificate.key >> smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer >> smtpd_tls_key_file = /etc/ssl/private/certificate.key > >Thank you, I think I got it figured out, will be testing shortly > >> >> ## RootCA en Intermediate are put here. >> smtpd_tls_CApath = /etc/ssl/certs >> >> >> and dont forget to regenerate your dhparams. >> like : >> if [ -d /etc/ssl/private ]; then >> mkdir -p /etc/ssl/private >> chmod 710 /etc/ssl/private >> fi >> >> ## Create unique DH Groups >> openssl dhparam -out /etc/ssl/private/dhparams512.pem 512 >> openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024 >> openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048 >> openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096 > >*snip* > >As far as DH groups - I put a script in /etc/cron.daily that >regenerates >the 1024 and 2048 groups once a day. > >I'm not sure 4096 adds any real world benefit, just eats CPU cycles.
I dont use the 4096 also, but its there if i need it when i need it, and yes a daily script for the dh is good to have. > >I'm not using 512 as I built postfix against LibreSSL and it doesn't >support the export ciphers, and I don't think postfix 2.11.6 >does either >anyway, at least if I understood the docs. > >So I'm trying with just the 2048 for now, if that's an issue then I'll >follow the documentation on how to allow 1024 for some clients. > >I'd like to eventually see the DHE ciphers go away in favor of ECDHE - >not sure how soon that will happen. > >I will be configuring postfix to only support ECDHE and DHE ciphers >initially, well after I get TLS working on this server that is what I >will try next. But I think DHE is only really needed for a few older >clients at this point? > > some "to old" tls clients wil fail with postfix. I dont know if the use DHE. and its NOT a postfix error. what happens is, why client-server are changing keys, the client closes the connection. and a message appears in your log, server closed connection and no mail is recieved. old windows exchange servers and some lotus notes server have this problem, maybe more, i dont know that. for these the only workaround, as far i know is, dont show the STARTTLS. info here : http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps ## used to disable buggy clients of with fautly TLS/SSL clients 1.2.3.4 STARTTLS which means.. Dont show STARTTLS for that ip. add in main.cf : in smtpd_client_restrictions, just after permit_mynetworks: smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr maybe there are better solutions for this, but this works for me. Greetz, Louis
