nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.
ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)
see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
The use case for this is e.g. a www server that is a separate machine to
the mailinabox, but which needs to send emails to the internet - for example it
may be running Wordpress or some other web app and need to notify arbitrary
users of comments etc.
In such cases, as the www administrator is using mailinabox, they're almost
certainly better off letting mailinabox do as much as possible as far as email
is concerned (as opposed to having the www sibling host do full delivery
itself) - among other things this simplifies reasoning about DNS records.
As the scripts keep growing, it's time to split them up to
keep them understandable.
This splits mail.sh into mail-postfix.sh, mail-dovecot.sh,
and mail-users.sh, which has all of the user database-related
configurations shared by Dovecot and Postfix. Also from
spamassassin.sh the core sieve configuration is moved into
mail-dovecot.sh and the virtual transport setting is moved
into mail-postfix.sh.
Also revising one of the sed scripts in mail-dovecot to
not insert a new additional # at the start of a line each
time the script is run.
