On 2018-04-22 Phil Pennock <[email protected]> wrote: > On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote: [...] >> is going to be any effect, people won't change their email address >> because the hosting smarthost does not provide TLS1.2 (due to SPF et
> I didn't actually provide a wet-finger-in-air assessment of this point. > I covered "no TLS", "unverifiable certificate" and "ciphersuite > problems". [...] > I mapped "ciphersuite problems" to something which folks should expect > their mail provider to be able to fix quickly. If there are issues and > they can't be fixed quickly, then why trust that the provider can do > much of anything to provide TLS service? > I did not map "no TLS1.2 support" but would tend to treat it much like > ciphersuite problems. [...] Good morning, I understood | hosts_require_tls = * | [...] | tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192 as intent to require a) TLS and b) not any TLS-version, but TLS 1.2. If that is not the case the proper fix is not the one I originally posted but to simply not set tls_require_ciphers for GnuTLS, since the defaults (exim uses NORMAL - see "gnutls-cli --list --priority=NORMAL") are not unreasonable. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
