[exim] Re: How to disable tls 1 and tls 1.1

Sat, 24 May 2025 12:13:00 -0700 

Helo
rezlut exim -bV | grep Support
Support for: Content_Scanning crypteq iconv() move_frozen_messages OpenSSL TLS_resume DKIM DNSSEC ESMTP_Limits ESMTP_Wellknown Event OCSP PIPECONNECT PRDR Queue_Ramp SPF TCP_Fast_Open 
regards
----- Original Message ----- From: "Andrew C Aitchison via Exim-users" <exim-users@lists.exim.org> 
To: "Slawomir Dworaczek via Exim-users" <exim-users@lists.exim.org>
Sent: Saturday, May 24, 2025 8:16 PM
Subject: [exim] Re: How to disable tls 1 and tls 1.1



On Sat, 24 May 2025, Slawomir Dworaczek via Exim-users wrote:
How to disable depracated protocols Tls 1 and tls 1.1 and enable only strong protocols 

Does your exim use GnuTLS or OpenSSL -
   exim -bV | grep Support
should tell you ?

Eugene Berdnikov said:

But if you are looking for adventures, ask google how to adjust
openssl_options (if your Exim was compiled with OpenSSL library)
or tls_require_ciphers (if Exim was compiled with GnuTLS).


Note that tls *ciphers* are different from the *protocols* and you
may or may not wish to keep tls 1.0 or 1.1 ciphers
even if you disable these protocols.

spec.txt chapter 43.5
 Requiring specific ciphers or other parameters in GnuTLS
says:
  The tls_require_ciphers option is available both as an global option,
  controlling how Exim behaves as a server, and also as an option of the
  smtp transport, controlling how Exim behaves as a client.
Which means you will have to set it in at least two places
(unless the system exim config uses macros ...)
For Debian/Ubuntu the default config may have options which simplify this (if the default is not already to only allow TLS1.2 and 1.3). 

Depending upon your operating system, you may be able to
configure TLS system-wide, rather than within Exim.
Since you want to disable TLS1.1 in Exim, I suspect that disabling
it for all TLS on the system is likely sensible.

--
Andrew C. Aitchison                      Kendal, UK
                   and...@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ 
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/




--
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to