Phil Pennock via Exim-users <[email protected]> wrote: [...] > .ifdef _HAVE_GNUTLS > tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192 > .endif [...]
Hello, That priority string does not work, it disables everything and does not enable e.g. X509 support. Also it is subject to bitrot, it will need updating when TLS1.3 is common. If you wanted to disable TLS 1.0 and 1.1 now you could simply use NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 or SECURE192:-VERS-TLS1.0:-VERS-TLS1.1. Personally I am not convinced that this is the right way for trying to enforce stronger encryption standards on mail providers. I doubt there is going to be any effect, people won't change their email address because the hosting smarthost does not provide TLS1.2 (due to SPF et al they cannot simply switch smarthosts) and mail providers still not providing TLS1.2 will not change their service due to a couple of strange reports from exim users. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
