On Tue, Mar 17, 2015 at 04:26:38PM +0100, Markus Benning wrote:
> The better way would be to add configuration options for this parameters
> to amavisd and submit a patch for inclusion.
I just had a look at the code. The attached patch should add the
configuration parameters:
$smtpd_tls_cipher_list
$smtpd_tls_version
$smtp_tls_cipher_list
$smtp_tls_version
Markus
--
Markus Benning, https://markusbenning.de/
--- amavisd.orig 2015-03-17 16:17:09.000000000 +0100
+++ amavisd 2015-03-17 16:40:59.000000000 +0100
@@ -388,6 +388,8 @@
$smtp_connection_cache_on_demand $smtp_connection_cache_enable
$smtpd_recipient_limit
$smtpd_tls_cert_file $smtpd_tls_key_file
+ $smtpd_tls_cipher_list $smtpd_tls_version
+ $smtp_tls_cipher_list $smtp_tls_version
$enforce_smtpd_message_size_limit_64kb_min
$MAXLEVELS $MAXFILES
$MIN_EXPANSION_QUOTA $MIN_EXPANSION_FACTOR
@@ -1013,6 +1015,12 @@
$smtpd_tls_cert_file = undef; # e.g. "$MYHOME/cert/amavisd-cert.pem"
$smtpd_tls_key_file = undef; # e.g. "$MYHOME/cert/amavisd-key.pem"
+ # see https://metacpan.org/pod/distribution/IO-Socket-SSL/lib/IO/Socket/SSL.pod#SSL_version
+ $smtpd_tls_cipher_list = undef; # SSL_cipher_list (server side)
+ $smtpd_tls_version = undef; # SSL_version (server side)
+ $smtp_tls_cipher_list = undef; # SSL_cipher_list (client side)
+ $smtp_tls_version = undef; # SSL_version (client side)
+
$dkim_minimum_key_bits = 1024; # min acceptable DKIM key size (in bits)
# for whitelisting
@@ -8386,9 +8394,15 @@
IO::Socket::SSL->VERSION(1.05); # required minimal version
$ssl_cache = IO::Socket::SSL::Session_Cache->new(2) if !defined $ssl_cache;
my $sock = $self->{socket};
+ my $smtp_tls_version = c('smtp_tls_version');
+ my $smtp_tls_cipher_list = c('smtp_tls_cipher_list');
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+ defined $smtp_tls_version ?
+ ( SSL_version => $smtp_tls_version ) : (),
+ defined $smtp_tls_cipher_list ?
+ ( SSL_cipher_list => $smtp_tls_cipher_list ) : (),
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
$self->{last_event} = 'ssl-upgrade';
@@ -21936,6 +21950,8 @@
} else {
$self->smtp_resp(1,"220 2.0.0 Ready to start TLS"); #flush!
%announced_ehlo_keywords = ();
+ my $smtpd_tls_version = c('smtpd_tls_version');
+ my $smtpd_tls_cipher_list = c('smtpd_tls_cipher_list');
IO::Socket::SSL->start_SSL($sock,
SSL_server => 1, SSL_session_cache => 2,
SSL_error_trap => sub { my($sock,$msg)=@_;
@@ -21943,6 +21959,10 @@
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
+ defined $smtpd_tls_version ?
+ ( SSL_version => $smtpd_tls_version ) : (),
+ defined $smtpd_tls_cipher_list ?
+ ( SSL_cipher_list => $smtpd_tls_cipher_list ) : (),
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
if ($self->{smtp_inpbuf} ne '') {
