On 19/05/2019 18:00, Cyborg via Exim-users wrote: > Problem is, that even if tls_1.2 is out since 2008, a communication
> partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" ,
> you will accept i
>
> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
> and reject anything not 1.2 or 1.3.
If you are concerned about TLS versions, the easiest configuration
is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
string) or openssl_options (for OpenSSL).
