On Wed, Jun 15, 2022 at 03:00:58AM +0530, P V Anthony wrote:
> On 15/6/2022 2:43 am, Viktor Dukhovni wrote:
>
> > The simplest configuration is therefore to just leave the parameter
> > unset, the default value will be sensible.
>
> I have just commented out smtpd_tls_dh1024_param_file
>
> I have made so much of mistakes trying to increase security.
Increasing security is primarily about raising the *ceiling*, and rarely
about raising not floor. When you set the bar too high, instead of
greater security, mail is sent in the clear or not at all.
https://datatracker.ietf.org/doc/html/rfc7435
Mostly you should leave crypto policy to OpenSSL and Postfix defaults,
and customise as little as possible. Most of the "hardening" advice
you'll find is counter-productive to downright harmful.
--
Viktor.
