Generate 2048 DH group and add it to Postfix

roles/common/tasks/ssl.yml

@@ -14,6 +14,10 @@
 - name: Set permissions on combined public cert
   file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
 
+- name: Create strong Diffie-Hellman group
+  command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
+    creates=/etc/ssl/private/dhparam2048.pem
+
 - name: Enable Apache SSL module
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
 

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -51,7 +51,7 @@ smtp_tls_note_starttls_offer = yes
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 # http://www.postfix.org/FORWARD_SECRECY_README.html
 smtp_tls_ciphers = medium
-
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem
 
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth