Support using dhparam in Postfix and Dovecot

7 years ago · 4e0bd32d50
parent 53c3153229
commit 4e0bd32d50
2 changed files with 2 additions and 1 deletions
--- a/dovecot/conf/dovecot.conf
+++ b/dovecot/conf/dovecot.conf
@ -58,12 +58,12 @@ namespace inbox {
 ssl = yes
 ssl_cert = </certs/cert.pem
 ssl_key = </certs/key.pem
+ssl_dh = </certs/dhparam.pem
 # TLS hardening is based on the following documentation:
 # https://bettercrypto.org/static/applied-crypto-hardening.pdf
 ssl_protocols=!SSLv3 !SSLv2
 ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 ssl_prefer_server_ciphers = yes
-ssl_dh_parameters_length = 2048
 ssl_options = no_compression

 ###############
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@ -45,6 +45,7 @@ tls_preempt_cipherlist = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file=/certs/cert.pem
 smtpd_tls_key_file=/certs/key.pem
+smtpd_tls_dh1024_param_file=/certs/dhparam.pem
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

 # Server-side TLS is hardened, it should be up to the client to update his or