Re: [exim] TLS configuration

Inizio della pagina
Delete this message
Reply to this message
Autore: John ffitch
Data:  
To: exim-users
Oggetto: Re: [exim] TLS configuration
exim4 sounds like Debian

On Tue, 29 Jan 2013, Phil Pennock wrote:

> On 2013-01-29 at 11:53 -0600, Raymond Norton wrote:
>> (Ubuntu 12.0.4 - Exim4 -Baruwa 2.0.0)
>
> This doesn't tell us anything about which version of Exim is used beyond
> that it's something in "Exim4". There have been significant changes in
> recent Exim 4 when it comes to GnuTLS configuration, entirely replacing
> which configuration directives are used. See README.UPDATING as of 4.80
> or later.
>
>> I'm getting a lot of the following in my logs, but don't know if it is
>> normal, or an issue with my configuration,
>
> Your configuration.
>
>> 11:26:20 6310 LOG: MAIN
>> 11:26:20 6310 TLS error on connection from (mail-oa0-f70.google.com)
>> [209.85.219.70] (gnutls_handshake): No supported cipher suites have been
>> found.
>
> Google do not use unusual ciphersuites; not _default_ for things like
> OpenSSL, as they strongly bias towards RC4-SHA for performance reasons,
> but that should be accepted by you for connections from the Internet, as
> it's normal and reasonable.
>
> In mails from google.com machines, my logs record X=TLSv1:RC4-SHA:128
> (and I support newer versions of TLS).
>
> (Beware that for licensing/legal reasons, RC4 is sometimes spelt
> ARCFOUR, especially in GnuTLS.)
>
> Assuming you're using Exim 4.80.1 or somesuch, then pass whatever you
> gave the "tls_require_ciphers" option in Exim to the
> gnutls-list-ciphers(1) command.
>
> A sane value for tls_require_ciphers in the main section, where you're
> controlling TLS connections from the open Internet, might be:
>
> tls_require_ciphers = NORMAL:%COMPAT
>
> -Phil
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>