search

nodemailer / wildduck

Opinionated email server
https://wildduck.email/
European Union Public License 1.2
1.91k stars 266 forks source link

Bug: `tls` now supports `dhparam: 'auto'` #541

Closed titanism closed 8 months ago

titanism commented 1 year ago

Right now it's hard-coded to read a path string, and doesn't support 'auto':

https://github.com/nodemailer/wildduck/blob/917e029a90aaad3fa6b95100ea05de5e4495c4e7/lib/certs.js#L53-L55

Screen Shot 2023-10-19 at 11 18 27 AM

Available since node v18.16.0+, you can set dhparam: 'auto' for sensible defaults for Perfect Forward Secrecy:

https://nodejs.org/api/tls.html#perfect-forward-secrecy

andris9 commented 1 year ago

I wouldn't classify this as a bug. WildDuck follows the common pattern where you specify the dhparam file you have generater with the openssl command. It's the same as in Nginx and many other server applications. Tbh, in email, with ancient legacy client applications, it's a wonder if the client can even use DHE. Many clients can't even use SNI.

titanism commented 1 year ago

@andris9 on that note (re: legacy) - do you run your servers in production with TLS 1.0 and 1.1 + related cipher support for IMAP? (e.g. port 993 with TLS - or do you use the node defaults for tls settings)

github-actions[bot] commented 8 months ago

This issue is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] commented 8 months ago

This issue was closed because it has been stalled for 15 days with no activity.