On 2018-04-22 Phil Pennock wrote:
> On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote:
[...]
>> is going to be any effect, people won't change their email address
>> because the hosting smarthost does not provide TLS1.2 (due to SPF et
> I didn't actually provide a
On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote:
> I'd make that:
>
> HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd
>
> Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.
No matter what we tell people and how much we push towards 1.0.2 as a
minimum,
On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote:
> Personally I am not convinced that this is the right way for trying to
> enforce stronger encryption standards on mail providers.
It's not about that. It's about providing people relying upon defaults
with worthwhile security,
On 21/04/18 01:17, Phil Pennock via Exim-users wrote:
> The commented-out "smarthost" Router now uses a Transport named
> "smarthost_smtp" instead of "remote_smtp". The new smarthost_smtp
> currently looks like the text below, which is subject to change before
> the next release.
Having split
Phil Pennock via Exim-users wrote:
[...]
> .ifdef _HAVE_GNUTLS
> tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192
> .endif
[...]
Hello,
That priority string does not work, it disables everything and does
not enable e.g. X509 support. Also it is subject to bitrot, it will
> On Apr 20, 2018, at 8:17 PM, Phil Pennock via Exim-users
> wrote:
>
> .ifdef _HAVE_OPENSSL
> tls_require_ciphers = HIGH:@STRENGTH
> .endif
I'd make that:
HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd
Because, the ciphers are already sensibly ordered as of
Folks,
I've committed and pushed a change to the default Exim configuration
file for the next Exim release. This change has the example SMTP
Transport used for _smarthosts_, such as talking to an ISP, using TLS by
default, with _strong_ TLS enabled, and certificate verification, and
sending SNI.