dhparams.pem

Discussion in 'Installation/Configuration' started by nhybgtvfr, Aug 30, 2024.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    is there a newer more secure dhparams.pem file anywhere?

    on a newly auto-installed ispconfig3.2 on ubuntu 24.04, i can see dhparam4096.pem in /usr/local/ispconfig/interface/ssl/
    which seems to match the internet standard ffdhe4096.pem file.. and i can't find anything newer than that file

    i can see /etc/ssl/private/pure-ftpd-dhparams.pem and /etc/dovecot/dh.pem point to this same pem file.
    i can't find any specific nginx or postfix configuration pointing to this file, but i assume they would both be using that same pem file.

    i'd like to get 100% results on internet.nl web and email tests, i can get 100% for the web test, which is happy with the key exchange parameters in use. but i can only get to 97% for the email test... the only thing left to fix for it is the key exchange parameters...
    i'm assuming nginx and postfix are using this same dh4096.pem file, as there's no /etc/ssl/private/dhparams.pem file for them to default to.
    but have no idea why the tests would think it's secure in nginx but not postfix.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't think Postfix or Nginx use it. We just configured it in some services that required it, like dovecot.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You can get the file postfix uses with:

    Code:
    postconf | grep smtpd_tls_dh
    and at least only my server, this is not set.

    Code:
    smtpd_tls_dh1024_param_file =
    smtpd_tls_dh512_param_file =
    tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
    tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
    You should be able to set it like this in Postfix main.cf:

    Code:
    smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
    smtpd_tls_dh512_param_file = /etc/ssl/dhparams.pem
    You can generate your own DH params file, if you do not find one that suits your needs with openssl command. Example:

    Code:
    openssl dhparam -out /etc/ssl/dhparams.pem 4096
    just set a higher number for the bit length.
     
    ahrasis likes this.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    thanks @till

    configured in postfix main.cf:
    Code:
    smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
    smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams.pem
    
    so it's all in the same place as the pure-ftpd config, and symlinked to the ispconfig/interface/ssl/dhparam4096.pem file, so i can still change the postfix dhparams config without affecting other services if needed.

    i'm now getting 100% compliance on both web and email testing. :)

    now just need to test various old mail clients and change letsencrypt certs... make sure the secure config isn't blocking older mail clients.. and that DANE rollover works ok... :eek:
     
    ahrasis and till like this.
  5. Stase

    Stase New Member

    It's great that it worked! I wonder if all email clients are compatible?
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Code:
    smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
    smtpd_tls_dh512_param_file = /etc/ssl/dhparams.pem
    What about adding this to ISPConfig installer / updater for ISPConfig mail server?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess we just have to add these two lines to the ISPConfig installer template, then.
     
    ahrasis likes this.
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    /etc/ssl/dhparams.pem or /etc/ssl/private/dhparams.pem both do not exist by default. /usr/local/ispconfig/interface/ssl/dhparam4096.pem does. So maybe we should use that in the configuration?
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I guess there is no dhparams.pem symbolicly linked, in the /etc/ssl or /etc/ssl/private folder from ispconfig/interface/ssl, that can be immediately be used, if it is just a mail server with no ftp service, so yes may be directly use the one from ispconfig/interface/ssl for it, in such a case.
     
  10. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    yep.. even if there's one for ftp, it has a different name.. i just created another symlink in /etc/ssl/private to the ispconfig one..

    Code:
    lrwxrwxrwx 1 root root       50 Aug 30 14:55 dhparams.pem -> /usr/local/ispconfig/interface/ssl/dhparam4096.pem
    lrwxrwxrwx 1 root root       50 Aug 21 12:53 pure-ftpd-dhparams.pem -> /usr/local/ispconfig/interface/ssl/dhparam4096.pem
    lrwxrwxrwx 1 root root       48 Aug 21 13:38 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    
    for production, i would probably stick with creating another symlink for each service there. so i'd recreate the dhparams.pem symlink as postfix-dhparams.pem, still allows to change the actual .pem file separately for each service if needed in the future.
     
    till and ahrasis like this.

Share This Page