Folks, I've committed and pushed a change to the default Exim configuration file for the next Exim release. This change has the example SMTP Transport used for _smarthosts_, such as talking to an ISP, using TLS by default, with _strong_ TLS enabled, and certificate verification, and sending SNI.
The commented-out "smarthost" Router now uses a Transport named "smarthost_smtp" instead of "remote_smtp". The new smarthost_smtp currently looks like the text below, which is subject to change before the next release. NOTE: every single bit of this configuration should work with the current release of Exim, and the past several releases in fact. So you can try this out now to see if it works or not, if your current configuration isn't this demanding. *DO* watch your queues after doing so. Because many mail-clients are configured to talk directly to ISP smarthosts and mail-clients usually enable TLS with decent verification (or at least, the ones I use do), there _shouldn't_ be any issues. But if there are, then they're likely to be: 1. Mail-provider does not provide STARTTLS on their smarthost. In 2018. Seriously? Find a new mail-provider. 2. Certificate does not verify. File a Support request with the mail-provider to get it fixed. In 2018? Seriously consider a new mail-provider. 3. You have to comment out the tls_require_ciphers because the mail-provider is running with really poor TLS support. File a Support request. If they don't fix this quickly, then consider a new mail-provider. The example configuration, all of which can be simplified by removing the .ifdef branches which don't apply to you: --------------------------8< smarthost_smtp >8-------------------------- smarthost_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} multi_domain # .ifdef _HAVE_TLS # Comment out any of these which you have to, then file a Support # request with your smarthost provider to get things fixed: hosts_require_tls = * tls_sni = $host tls_verify_hosts = * # As long as tls_verify_hosts is enabled, this won't matter, but if you # have to comment it out then this will at least log whether you succeed # or not: tls_try_verify_hosts = * # .ifdef _HAVE_OPENSSL tls_require_ciphers = HIGH:@STRENGTH .endif .ifdef _HAVE_GNUTLS tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192 .endif .endif --------------------------8< smarthost_smtp >8--------------------------
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/