On Wed, Jan 15, 2014 at 01:07:09PM -0800, Todd Lyons wrote:
> (Not) funny. I was wrong on BOTH counts. It is a runtime
> configuration and it is the user's problem. I guess I have been
> fortunate enough to have only ever used OpenSSL because it has always
> just worked without need for tweaking.
Note, some Debian releases patched Exim to make it "more secure",
thereby breaking TLS handshakes with most servers, and making Exim
less secure when Exim falls back to cleartext delivery. The OP
may well have one of the "improved" Debian Exim versions.
This has been discussed on either Exim-dev or Exim-users before.
It is also documented in
http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
near the bottom of that section. This motivated the recommendation
for Postfix administrators to create 2048-bit DHE parameter files.
--
Viktor.