is there a newer more secure dhparams.pem file anywhere? on a newly auto-installed ispconfig3.2 on ubuntu 24.04, i can see dhparam4096.pem in /usr/local/ispconfig/interface/ssl/ which seems to match the internet standard ffdhe4096.pem file.. and i can't find anything newer than that file i can see /etc/ssl/private/pure-ftpd-dhparams.pem and /etc/dovecot/dh.pem point to this same pem file. i can't find any specific nginx or postfix configuration pointing to this file, but i assume they would both be using that same pem file. i'd like to get 100% results on internet.nl web and email tests, i can get 100% for the web test, which is happy with the key exchange parameters in use. but i can only get to 97% for the email test... the only thing left to fix for it is the key exchange parameters... i'm assuming nginx and postfix are using this same dh4096.pem file, as there's no /etc/ssl/private/dhparams.pem file for them to default to. but have no idea why the tests would think it's secure in nginx but not postfix.
I don't think Postfix or Nginx use it. We just configured it in some services that required it, like dovecot.
You can get the file postfix uses with: Code: postconf | grep smtpd_tls_dh and at least only my server, this is not set. Code: smtpd_tls_dh1024_param_file = smtpd_tls_dh512_param_file = tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file You should be able to set it like this in Postfix main.cf: Code: smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_dh512_param_file = /etc/ssl/dhparams.pem You can generate your own DH params file, if you do not find one that suits your needs with openssl command. Example: Code: openssl dhparam -out /etc/ssl/dhparams.pem 4096 just set a higher number for the bit length.
thanks @till configured in postfix main.cf: Code: smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams.pem so it's all in the same place as the pure-ftpd config, and symlinked to the ispconfig/interface/ssl/dhparam4096.pem file, so i can still change the postfix dhparams config without affecting other services if needed. i'm now getting 100% compliance on both web and email testing. now just need to test various old mail clients and change letsencrypt certs... make sure the secure config isn't blocking older mail clients.. and that DANE rollover works ok...
Code: smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_dh512_param_file = /etc/ssl/dhparams.pem What about adding this to ISPConfig installer / updater for ISPConfig mail server?
/etc/ssl/dhparams.pem or /etc/ssl/private/dhparams.pem both do not exist by default. /usr/local/ispconfig/interface/ssl/dhparam4096.pem does. So maybe we should use that in the configuration?
I guess there is no dhparams.pem symbolicly linked, in the /etc/ssl or /etc/ssl/private folder from ispconfig/interface/ssl, that can be immediately be used, if it is just a mail server with no ftp service, so yes may be directly use the one from ispconfig/interface/ssl for it, in such a case.
yep.. even if there's one for ftp, it has a different name.. i just created another symlink in /etc/ssl/private to the ispconfig one.. Code: lrwxrwxrwx 1 root root 50 Aug 30 14:55 dhparams.pem -> /usr/local/ispconfig/interface/ssl/dhparam4096.pem lrwxrwxrwx 1 root root 50 Aug 21 12:53 pure-ftpd-dhparams.pem -> /usr/local/ispconfig/interface/ssl/dhparam4096.pem lrwxrwxrwx 1 root root 48 Aug 21 13:38 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem for production, i would probably stick with creating another symlink for each service there. so i'd recreate the dhparams.pem symlink as postfix-dhparams.pem, still allows to change the actual .pem file separately for each service if needed in the future.
