DH-2048 to DH-4096

Help
1

For weeks, trying to find out how to get Letsencrypt to update my 2048 to 4096 key with Virtualmin on one of my servers. Not successful at the moment and hopefully someone in this forum can help me out. I have been posting at Virtualmin, but it seems to be an issue with Letencrypt.

The error I get from test id the following:

Verdict:

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:

Mail server (MX) Affected parameters Security level
yr-design.biz. DH-2048 insufficient

Regards,
Rob Oudendijk

2

This issue doesn't have anything to do with TLS certificates in general and Let's Encrypt in particular.

Your SMTP daemon seems to be Postfix. I don't have any experience with Virtualmin and how (or if) it configures Postfix, you may need to configure it yourself. Consult with this document, especially the parts about FFDHE Server support.

6 Likes
3

If you have shell access to the SMTP server system, you may generate a bigger Diffi-Helman group with the openssl dhparam command.
In my system it is the following, but that is distribution specific:

openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 4096
5 Likes
4

I'm not familiar with mail client compatibility, but you might want to consider disabling DH(E) cipher suits entirely in favor of ECDHE, the EC variant. This, as DH(E) is very, very slow..

6 Likes
5

Thanks for the fast reply.
My current postfix main.cf is with the following:

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

smtp_tls_ciphers = high
smtpd_tls_ciphers = high

Regards,
rob Oudendijk

6

Running the command gives me these errors:

root@yr-design:~# openssl dhparam -out /etc/pki/tls/certs/dhparams.pem 4096
Can't open /etc/pki/tls/certs/dhparams.pem for writing, No such file or directory
140329455351104:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/pki/tls/certs/dhparams.pem','w')
140329455351104:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
root@yr-design:~#
7

Allthough this is working now:

openssl dhparam -out dhparam.pem 4096

Generating the key. Not sure how to use it on Virtualmin/Webmin with Letsencrypt..

Regards,
rob Oudendijk

8

As I wrote the command is distribution specific. Probably your system is not CentOS.
Check is there any directory /etc/ssl ?

3 Likes
9

Ubuntu and move the file to /etc/ssl/dhparam.pem. Did not help either.
Virtualmin is used.

Regards,
rob

10
5 Likes
11

I concur with the quote from Rudy above.

But if you still want to have DHE stuff: you donʼt just create that dhparam file, you need to instruct Postfix to use it. Consult Postfix docs on how to do that. Here's the relevant part:
https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file

7 Likes
12

If this "insufficient" message came from internet.nl or a similar validator, it will not be satisfied with a random 3072- or 4096-bit DH group, but expects one of the standard RFC 7919 FFDHE groups (preferably ffdhe3072).

6 Likes
13
6 Likes
14

rg305,

Thank you for the links. I will follow the information and set/test.

Regards,
Rob Oudendijk

1 Like
15

Ghen,

Thanks for the information. I will check/read about the FFDHE information.

Regards,
Rob Oudendijk

1 Like
16

Nekit,

I will read up on the information you supplied.

Regards,
Rob Oudendijk

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.