Author: Phil Pennock Date: To: exim-users Subject: [exim] Next Exim: TLS: changed smarthost example config
Folks,
I've committed and pushed a change to the default Exim configuration
file for the next Exim release. This change has the example SMTP
Transport used for _smarthosts_, such as talking to an ISP, using TLS by
default, with _strong_ TLS enabled, and certificate verification, and
sending SNI.
The commented-out "smarthost" Router now uses a Transport named
"smarthost_smtp" instead of "remote_smtp". The new smarthost_smtp
currently looks like the text below, which is subject to change before
the next release.
NOTE: every single bit of this configuration should work with the
current release of Exim, and the past several releases in fact. So you
can try this out now to see if it works or not, if your current
configuration isn't this demanding. *DO* watch your queues after doing
so.
Because many mail-clients are configured to talk directly to ISP
smarthosts and mail-clients usually enable TLS with decent verification
(or at least, the ones I use do), there _shouldn't_ be any issues.
But if there are, then they're likely to be:
1. Mail-provider does not provide STARTTLS on their smarthost. In 2018.
Seriously? Find a new mail-provider.
2. Certificate does not verify. File a Support request with the
mail-provider to get it fixed.
In 2018? Seriously consider a new mail-provider.
3. You have to comment out the tls_require_ciphers because the
mail-provider is running with really poor TLS support.
File a Support request. If they don't fix this quickly, then
consider a new mail-provider.
The example configuration, all of which can be simplified by removing
the .ifdef branches which don't apply to you:
--------------------------8< smarthost_smtp >8--------------------------
smarthost_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
multi_domain
#
.ifdef _HAVE_TLS
# Comment out any of these which you have to, then file a Support
# request with your smarthost provider to get things fixed:
hosts_require_tls = *
tls_sni = $host
tls_verify_hosts = *
# As long as tls_verify_hosts is enabled, this won't matter, but if you
# have to comment it out then this will at least log whether you succeed
# or not:
tls_try_verify_hosts = *
#
.ifdef _HAVE_OPENSSL
tls_require_ciphers = HIGH:@STRENGTH
.endif
.ifdef _HAVE_GNUTLS
tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192
.endif
.endif
--------------------------8< smarthost_smtp >8--------------------------