On Wed, Jun 15, 2022 at 01:45:36AM +0530, P V Anthony wrote: > smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
Also, this appears to be a 4096-bit DH key, again much too turgid. Use 2048 bits instead: https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file smtpd_tls_dh1024_param_file (default: empty) File with DH parameters that the Postfix SMTP server should use with non-export EDH ciphers. With Postfix ≥ 3.7, built with OpenSSL version is 3.0.0 or later, if the parameter value is either empty or "auto", then the DH parameter selection is delegated to the OpenSSL library, which selects appropriate parameters based on the TLS handshake. This choice is likely to be the most interoperable with SMTP clients using various TLS libraries, and custom local parameters are no longer recommended when using Postfix ≥ 3.7 built against OpenSSL 3.0.0. The best-practice choice of parameters uses a 2048-bit prime. This is fine, despite the historical "1024" in the parameter name. Do not be tempted to use much larger values, performance degrades quickly, and you may also cease to interoperate with some mainstream SMTP clients. As of Postfix 3.1, the compiled-in default prime is 2048-bits, and it is not strictly necessary, though perhaps somewhat beneficial to generate custom DH parameters. The simplest configuration is therefore to just leave the parameter unset, the default value will be sensible. -- Viktor.
