At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

[BenWinter]

Hello,

I am trying to harden our TLS version and ciphers due to the following errors:

Verdict:​

At least one of your mail servers supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.

Mail server (MX)	First found affected cipher	Status
*.	AES128-SHA	phase out

Verdict:​

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Mail server (MX)	Affected parameters	Security level
*	DH-2048	insufficient

How can i disable these ?

Regards,

 

[Stoiko Ivanov]

I am trying to harden our TLS version and ciphers due to the following errors:

Can make sense - but keep in mind that SMTP uses opportunistic TLS - meaning if a sending server does only support weak ciphers and there is no overlap the traffic will go through as plaintext (instead of weakly encrypted).

On the other hand at some point it might make sense to get rid of really old ciphers

In any case the configuration needs to be done for postfix - see the reference documentation:
https://www.postfix.org/TLS_README.html#server_cipher

to make changes to PMG's postfix config use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!