More and more Internet security diagnostic tools (such as Immuniweb and
Hardenize) specify that mail servers should be able to offer their preferred
encryption algorithms. They consider it a security risk if the server must
not be configured to select the best-available suite.
They say: "The server does not prefer cipher suites. We advise to enable
this feature in order to enforce use of the best cipher suites selected."
On Exim the order of the encryption string, present in "tls_require_ciphers"
does not matter, the order is not used.
I think this requires the switch to "Server preference", via the
openssl_options: "+cipher_server_preference", but it is not enough for the
server to define a recommended encryption algorithm.
How is it possible to define a cipher algorithm preference, please?
