On 09/10/16 11:14, [email protected] wrote: > Am I understanding you correctly? That you recommend every > Exim admin using OpenSSL to specify in the beginning of Exim config > > tls_dhparam = /path/dhparam.pem > > where the file should be generated once with commands > > openssl dhparam -out /path/dhparam.pem 2236 > chown root:mail /path/dhparam.pem > chmod 640 /path/dhparam.pem > > For FreeBSD the /path/ can be /usr/local/etc/exim/
Adjusting as needed for commands and paths on your system, yes. But the threat being defended against is not the simplest one around; more obvious ones include - targets not supporting TLS at all - MITM intercepting STARTTLS, forcing downgrade to cleartext - MITM terminating TLS and retransmitting to target - MITM intercepting DNS, forcing diversion to a different MTA -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
