you need Postfix greater 2.6 (best 2.8 or up) and openssl greater 0.9 better 1.0 or up.
You need to create two Diffie Hellman Keys and put them in maincf:
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
postconf -e “smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem”
postconf -e “smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem”
postconf -e “smtpd_tls_eecdh_grade = strong”
postconf -e “tls_preempt_cipherlist = yes”
postconf -e “smtpd_tls_loglevel = 1”
postconf -e “smtp_tls_loglevel = 1”
postfix reload
tls_preempt will only be executed from Postfix 2.8 or up, the older versions will ignore this setting.
Dovecot should be 2.1, better 2.2.x
Dovecot uses PFS, but it is not being found in logfiles. Therefore /etc/dovecot/conf.d/10-logging.conf has to be changed into:
login_log_format_elements = “user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k”
Now test the setup:
openssl s_client -starttls smtp -connect mail.example.com:25
openssl s_client -starttls imap -connect imap.example.com:143
EDIT: Here use your own mailserveradress for testing instead of example.com
The output should read something like this:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
So they say, but didn’t try it yet.