The site weakdh.org explains how to fix postfix against the weak Diffie-Hellman attack called "logjam".
But don't I have to fix courier too? Or do I have to migrate to dovecot to be logjam-safe?
Ssl – Fix logjam vulnerability in courier
courierlogjamsslvulnerabilities
Related Topic
- Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)
- Openvpn – How to fix the Logjam vulnerability in OpenVPN server config
- Ssh – Are there any security benefits to deploying custom SSH DH groups to client-only systems
- Mysql – How to fix Logjam vulnerability with MySQL
- Java Keytool – Generate New 2048-bit Diffie-Hellman Parameters
Best Answer
I found this blog post that explains it quite well.
To speed this up, first check, if you already have good parameters in
/etc/ssl/certs/dhparams.pemcheck withif so copy them into
/etc/courier/dhparams.pemwithotherwise generate with
Courrier version 4.15 removes the TLS_DHCERTFILE parameter from imap, and pop3d configuration files. DH parameters, and DH parameters only, get read from the new TLS_DHPARAMS file (and the other functionaly of TLS_DHCERTFILE, for DSA certificates, is merged into TLS_CERTFILE). After upgrading, run the mkdhparams script to create a new TLS_DHPARAMS file.
So check your installed version with
If you have at least Version 4.15, now edit
/etc/courier/imapd-ssland setrestart courier-imap-ssl:
check the connection with openssl version 1.0.2a.