[Dovecot] 2048-bit Diffie-Hellman parameters

Robert Schetterer rs at sys4.de
Tue Sep 24 11:05:05 EEST 2013

Am 24.09.2013 08:48, schrieb Marios Titas:
> Currently, dovecot generates two primes for Diffie-Hellman key
> exchanges: a 512-bit one and a 1024-bit one. In light of recent
> events, I think it would be wise to add support for 2048-bit primes as
> well, or even better, add a configuration option that lets the user
> select a file (or files) containing the DH parameters
> In recent years, there has been increased interest in DH especially in
> its ephemeral version (DHE) because it provides perfect forward
> secrecy. In that context, the use of 1024-bit parameters might not
> seem such a terrible idea: if someone cracks the ephemeral key then
> they will only gain access to the data exchanged during that
> particular session. Therefore, it might not be worth the effort to
> crack such a key. But this is certainly not the case for IMAPS: it is
> quite likely that the session data will include the user's
> credentials.

you may get problems with older mail clients , on smtp side i discovered
i.e netscape 7 ist not able to handle stuff bigger then 1024
but some more configure options maybe fine ever

Best Regards
MfG Robert Schetterer

[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list