phdoerfler
commented
6 years ago I'll be playing Captain Obvious here: in principle the higher the bit length the better, of course. This being said a timeout of 1h also means that it is deemed OK for you to not have a postfix for 1h and not know about it / have something done about it. Now SMTP is quite a robust protocol and sane mail servers should try to attempt the sending of an email for a while but there's that.
Just for perspective: The default value in NMS is 1024 because 2048 takes a long time and 1024 is deemed sufficiently secure, but you are probably aware of this.
Last but not least the timeout value will ultimately depend on the speed of the CPU and the amount of randomness happening on the system at the time of the generation.
So you got "How quickly do I want to know if I my postfix is broken" vs. "How much time do I want to give postfix for this initial generation" with the hard to gauge bit "How fast and random is your system". I doubt it is possible to come up with a timeout value that satisfies all of these things for dhParamBitLength = 4096; and thus will work for everyone.
nyanloutre
r-raymond
(Use this template for bugs, feel free to delete it for other issues)
SNM Version: (e.g. v2.1.3)
v2.1.4
Nixos Version: (e.g. 17.09 or unstable)
18.03
Relevant part of the config to reproduce:
dhParamBitLength = 4096;What I expected to happen:
Systemd should let OpenSSL generate the key even if it take some time
What happened:
The postfix service timed out (because it's the one generating the key) and the key was not properly generated resulting in connection failures.
Relevant journald log:
I created this issue so it's possible to discuss about the best timeout value. Maybe 1 hour is enough ?