After upgrade to openssl 1.0.1, my Perl script using Crypt::SSLeay
was unable to connect as a client to a web server (https),
I had to downgrade openssl to 1.0.0h on that machine (it runs Exim too).
Is the following (from Postfix 2.9.2 release notes) relevant to Exim?
If yes, should we specify
tls_require_ciphers main configuration option (Exim as server) or
tls_require_ciphers smtp transport option (Exim as client)?
-----
| This release adds support to turn off the TLSv1.1 and TLSv1.2
| protocols. Introduced with OpenSSL version 1.0.1, these are known
| to cause inter-operability problems with for example hotmail.
|
| The radical workaround is to temporarily turn off problematic
| protocols globally:
|
| /etc/postfix/main.cf:
| smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
| smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
|
| smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
| smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
|
| However, it may be better to temporarily turn off problematic
| protocols for broken sites only:
|
| /etc/postfix/main.cf:
| smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
|
| /etc/postfix/tls_policy:
| example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
