Re: [exim] Next Exim: TLS: changed smarthost example config

Top Page

Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: Re: [exim] Next Exim: TLS: changed smarthost example config
On 2018-04-22 Phil Pennock <pdp@???> wrote:
> On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote:

[...]
>> is going to be any effect, people won't change their email address
>> because the hosting smarthost does not provide TLS1.2 (due to SPF et


> I didn't actually provide a wet-finger-in-air assessment of this point.
> I covered "no TLS", "unverifiable certificate" and "ciphersuite
> problems".

[...]
> I mapped "ciphersuite problems" to something which folks should expect
> their mail provider to be able to fix quickly. If there are issues and
> they can't be fixed quickly, then why trust that the provider can do
> much of anything to provide TLS service?


> I did not map "no TLS1.2 support" but would tend to treat it much like
> ciphersuite problems.

[...]

Good morning,

I understood

| hosts_require_tls = *
| [...]
| tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192


as intent to require a) TLS and b) not any TLS-version, but TLS 1.2. If
that is not the case the proper fix is not the one I originally posted
but to simply not set tls_require_ciphers for GnuTLS, since the defaults
(exim uses NORMAL - see "gnutls-cli --list --priority=NORMAL") are not
unreasonable.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'