On Fri, 14 Aug 2015 11:07:17 +0100, Stuart Henderson wrote: > Generally looks good but one thing I'm wondering about. > > > +.Dl # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096 > > +.Pp > > +This would generate a 4096-bit > > Is 4096-bit overkill? When we updated ssl(8) we settled on 2048-bit though > that's more aimed at https where response time is more important.
Could be. I was just syncing that part with the example in smtpd.conf. Since smtp is not interactive it probably doesn't matter much but I'm OK with 2048-bit keys as well. > Related to this: smtpd(8) has compiled-in 1024-bit DH parameters. > This probably wants at least bumping to 2048 though I wonder if it > might be better to remove the compiled-in value completely and > require it to be read from a file instead. > > Would it make sense to have a common "system" dh params file, in a > similar vein to ssh's /etc/moduli? (Actually, could we just *use* > /etc/moduli?) I don't see why not. - todd
