Autor: Phil Pennock Data: A: Raymond Norton CC: exim-users Assumpte: Re: [exim] TLS configuration
On 2013-01-29 at 11:53 -0600, Raymond Norton wrote: > (Ubuntu 12.0.4 - Exim4 -Baruwa 2.0.0)
This doesn't tell us anything about which version of Exim is used beyond
that it's something in "Exim4". There have been significant changes in
recent Exim 4 when it comes to GnuTLS configuration, entirely replacing
which configuration directives are used. See README.UPDATING as of 4.80
or later.
> I'm getting a lot of the following in my logs, but don't know if it is
> normal, or an issue with my configuration,
Your configuration.
> 11:26:20 6310 LOG: MAIN
> 11:26:20 6310 TLS error on connection from (mail-oa0-f70.google.com)
> [209.85.219.70] (gnutls_handshake): No supported cipher suites have been
> found.
Google do not use unusual ciphersuites; not _default_ for things like
OpenSSL, as they strongly bias towards RC4-SHA for performance reasons,
but that should be accepted by you for connections from the Internet, as
it's normal and reasonable.
In mails from google.com machines, my logs record X=TLSv1:RC4-SHA:128
(and I support newer versions of TLS).
(Beware that for licensing/legal reasons, RC4 is sometimes spelt
ARCFOUR, especially in GnuTLS.)
Assuming you're using Exim 4.80.1 or somesuch, then pass whatever you
gave the "tls_require_ciphers" option in Exim to the
gnutls-list-ciphers(1) command.
A sane value for tls_require_ciphers in the main section, where you're
controlling TLS connections from the open Internet, might be: