As usual: tests ... work for me! ;)

If we are so concerned about security, why aren't 4096 bit DH parameters used?
Also, isn't daily a bit much ? I mean it doesn't hurt, but I feel like weekly should be enough.

+1 to weekly 4096 bit DH

Even though this has been merged, I can change that daily to weekly if you'd like..

Considering 4096 bit: 1024bit DH is only just getting feasable, 2048 is far in the "cannot break it" zone and bear in mind, that every additional bit doubles the attack space..
This PR was more or less a precautionary thing and common best practice.

Regardless: The last time I tried switching to 4096 bit, around 3 years ago, couple of problems arouse. Clients weren't able to connect because of lacking support and mobile (android) devices took (I guessed) too long to compute the 4096bit(at least I had timeout issues with them)

But I agree, 2048bit would be sufficient to be regenerated every week..

4096 bit DH parameters work great for my nginx setup and all clients I've tried were able to connect to it, but I can imagine that mail clients don't have have up-to-date crypto libraries like browsers do. So you're probably right about that.
I'd recommend 3072 bit, but support for that is worse than for 4096 bit if I remember correctly.
So generating a new 2048 bit param weekly is the way to go imo.

@17Halbe could you add a PR for a weekly update?

I added one #836

Instead of generating your own DH groups with "openssl dhparam", you should use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096 recommended by the IETF in RFC 7919. These groups are audited and may be more resistant to attacks than ones randomly generated.

And the Postfix SMTP server EDH parameters file is not secret, these parameters are sent in clear to all remote SMTP clients.

https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups
https://tools.ietf.org/html/rfc7919

The extra security gained by weekly regeneration is not useful, and because of that, Dovecot v2.2 disabled the DH params regeneration feature completely.

https://wiki.dovecot.org/SSL/DovecotConfiguration

How fast those things change! ;)
So would you like to do a PR? I'm out of time till maybe next week..