Re: [exim] TLS configuration

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Phil Pennock
Datum:  
To: Raymond Norton
CC: exim-users
Betreff: Re: [exim] TLS configuration
On 2013-01-29 at 11:53 -0600, Raymond Norton wrote:
> (Ubuntu 12.0.4 - Exim4 -Baruwa 2.0.0)


This doesn't tell us anything about which version of Exim is used beyond
that it's something in "Exim4". There have been significant changes in
recent Exim 4 when it comes to GnuTLS configuration, entirely replacing
which configuration directives are used. See README.UPDATING as of 4.80
or later.

> I'm getting a lot of the following in my logs, but don't know if it is
> normal, or an issue with my configuration,


Your configuration.

> 11:26:20 6310 LOG: MAIN
> 11:26:20 6310 TLS error on connection from (mail-oa0-f70.google.com)
> [209.85.219.70] (gnutls_handshake): No supported cipher suites have been
> found.


Google do not use unusual ciphersuites; not _default_ for things like
OpenSSL, as they strongly bias towards RC4-SHA for performance reasons,
but that should be accepted by you for connections from the Internet, as
it's normal and reasonable.

In mails from google.com machines, my logs record X=TLSv1:RC4-SHA:128
(and I support newer versions of TLS).

(Beware that for licensing/legal reasons, RC4 is sometimes spelt
ARCFOUR, especially in GnuTLS.)

Assuming you're using Exim 4.80.1 or somesuch, then pass whatever you
gave the "tls_require_ciphers" option in Exim to the
gnutls-list-ciphers(1) command.

A sane value for tls_require_ciphers in the main section, where you're
controlling TLS connections from the open Internet, might be:

tls_require_ciphers = NORMAL:%COMPAT

-Phil