Re: Diffie-Hellman parameters

2013-11-18 Thread Viktor Dukhovni
On Mon, Nov 18, 2013 at 08:03:00AM -0700, LuKreme wrote: > > I changed smtpd_tls_dh1024_param_file to use a 2k dh key at the mx server. > > That solved the problem ... > > I can't imagine that that didn't cause other problems. If a server > negotiates for a dh1024 key and is expecting a dh1024 ke

Re: Diffie-Hellman parameters

2013-11-18 Thread LuKreme
On 18 Nov 2013, at 02:53 , Andreas Schulze wrote: > I changed smtpd_tls_dh1024_param_file to use a 2k dh key at the mx server. > That solved the problem ... I can't imagine that that didn't cause other problems. If a server negotiates for a dh1024 key and is expecting a dh1024 key and it gets

Re: Diffie-Hellman parameters

2013-11-18 Thread Andreas Schulze
Zitat von Viktor Dukhovni : Any evidence of other legitimate MTAs that now routinely fail TLS handshakes? no, I don't saw more TLS errors. There is a usual noise of TLS failures that didn't changed. Andreas

Re: Diffie-Hellman parameters

2013-11-18 Thread Viktor Dukhovni
On Mon, Nov 18, 2013 at 10:53:19AM +0100, Andreas Schulze wrote: > >On the other hand, some Exim MTA SMTP clients (patched by a > >well-meaning, but under-informed Debian maintainer) don't support > >DH primes shorter than 2048 bits. > > I had trouble to receive messages from those sites too. >

Re: Diffie-Hellman parameters

2013-11-18 Thread Andreas Schulze
Zitat von Viktor Dukhovni : On the other hand, some Exim MTA SMTP clients (patched by a well-meaning, but under-informed Debian maintainer) don't support DH primes shorter than 2048 bits. I had trouble to receive messages from those sites too. I changed smtpd_tls_dh1024_param_file to use a 2

Re: Diffie-Hellman parameters

2013-11-17 Thread Viktor Dukhovni
On Sun, Nov 17, 2013 at 11:36:34PM +0100, Fedor Brunner wrote: > Please increase the size of Diffie-Hellman parameters in > http://www.postfix.org/TLS_README.html > You recommend 1024 bit DH parameters, but for long term protection, > these parameters are too short. Postfix prime-D

Re: Diffie-Hellman parameters

2013-11-17 Thread li...@rhsoft.net
Am 17.11.2013 23:36, schrieb Fedor Brunner: > Please increase the size of Diffie-Hellman parameters in > http://www.postfix.org/TLS_README.html > You recommend 1024 bit DH parameters, but for long term protection, > these parameters are too short. > > During ephemeral Diffie

Diffie-Hellman parameters

2013-11-17 Thread Fedor Brunner
Hi, Please increase the size of Diffie-Hellman parameters in http://www.postfix.org/TLS_README.html You recommend 1024 bit DH parameters, but for long term protection, these parameters are too short. During ephemeral Diffie-Hellman (EDH) key exchange a temporary key is generated from DH