Re: [exim] Next Exim: TLS: changed smarthost example config

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: Re: [exim] Next Exim: TLS: changed smarthost example config
Phil Pennock via Exim-users <exim-users@???> wrote:
[...]
> .ifdef _HAVE_GNUTLS
> tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192
> .endif

[...]

Hello,

That priority string does not work, it disables everything and does
not enable e.g. X509 support. Also it is subject to bitrot, it will need
updating when TLS1.3 is common.

If you wanted to disable TLS 1.0 and 1.1 now you could simply use
NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
or
SECURE192:-VERS-TLS1.0:-VERS-TLS1.1.

Personally I am not convinced that this is the right way for trying to
enforce stronger encryption standards on mail providers. I doubt there
is going to be any effect, people won't change their email address
because the hosting smarthost does not provide TLS1.2 (due to SPF et
al they cannot simply switch smarthosts) and mail providers still not
providing TLS1.2 will not change their service due to a couple of
strange reports from exim users.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'