Re: [exim] Exim TLS security, DH and standard parameters

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Exim TLS security, DH and standard parameters
> From: Phil Pennock

> Short version: used to be utterly horrible for OpenSSL users; got
> better, but we now believe not as much better as we'd hoped; we now
> believe that for GnuTLS users, things got a little worse instead of
> being a no-op. In the next version of Exim (4.88) it's better still by
> default, but manually generating a file for your `tls_dhparam` setting
> avoids the issue, always has, and is the best way forward.


Am I understanding you correctly? That you recommend every
Exim admin using OpenSSL to specify in the beginning of Exim config

tls_dhparam = /path/dhparam.pem

where the file should be generated once with commands

openssl dhparam -out /path/dhparam.pem 2236
chown root:mail /path/dhparam.pem
chmod 640 /path/dhparam.pem

For FreeBSD the /path/ can be /usr/local/etc/exim/