Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-22 Thread Andreas Metzler via Exim-users
On 2018-04-22 Phil Pennock wrote: > On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote: [...] >> is going to be any effect, people won't change their email address >> because the hosting smarthost does not provide TLS1.2 (due to SPF et > I didn't actually provide a

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-21 Thread Phil Pennock via Exim-users
On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote: > I'd make that: > > HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd > > Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0. No matter what we tell people and how much we push towards 1.0.2 as a minimum,

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-21 Thread Phil Pennock via Exim-users
On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote: > Personally I am not convinced that this is the right way for trying to > enforce stronger encryption standards on mail providers. It's not about that. It's about providing people relying upon defaults with worthwhile security,

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-21 Thread Jeremy Harris via Exim-users
On 21/04/18 01:17, Phil Pennock via Exim-users wrote: > The commented-out "smarthost" Router now uses a Transport named > "smarthost_smtp" instead of "remote_smtp". The new smarthost_smtp > currently looks like the text below, which is subject to change before > the next release. Having split

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-21 Thread Andreas Metzler via Exim-users
Phil Pennock via Exim-users wrote: [...] > .ifdef _HAVE_GNUTLS > tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192 > .endif [...] Hello, That priority string does not work, it disables everything and does not enable e.g. X509 support. Also it is subject to bitrot, it will

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-20 Thread Viktor Dukhovni via Exim-users
> On Apr 20, 2018, at 8:17 PM, Phil Pennock via Exim-users > wrote: > > .ifdef _HAVE_OPENSSL > tls_require_ciphers = HIGH:@STRENGTH > .endif I'd make that: HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd Because, the ciphers are already sensibly ordered as of

[exim] Next Exim: TLS: changed smarthost example config

2018-04-20 Thread Phil Pennock via Exim-users
Folks, I've committed and pushed a change to the default Exim configuration file for the next Exim release. This change has the example SMTP Transport used for _smarthosts_, such as talking to an ISP, using TLS by default, with _strong_ TLS enabled, and certificate verification, and sending SNI.