Re: [exim] Cipher suites identifier
Thank'You Phil. There is a tool, like eximstats, that can help me to get the percentage of SMTP connections that are encrypted, between my Exim4 server and others mail servers ? Il 06/08/2017 01:31, Phil Pennock ha scritto: On 2017-08-01 at 19:10 +0200, Luciano Rinetti wrote: #exim -bV [...] GnuTLS compile-time version: 2.8.6 GnuTLS runtime version: 2.8.6 On 2017-08-05 at 11:09 +0200, Luciano Rinetti wrote: #exim -bV Exim version 4.74 #1 built 24-May-2011 20:35:05 [...] GnuTLS compile-time version: 2.8.6 GnuTLS runtime version: 2.8.6 Since you've reposted the exact same information four days later, I'm confused. The request for information was: } What it means ? Are GNUTLS encrypted sessions or OpenSSL encrypted } sessions ? I think that your reposting means that you didn't notice these lines in the output? So: they're GnuTLS connections. Exim supports _either_ OpenSSL _or_ GnuTLS. If you see one in the version output, then that is the TLS library provider in use. That's an old version of Exim, which pre-dates a bug-fix where for GnuTLS support we were reporting the size in bytes, not bits. So the ":32" at the end of "X=TLS1.0:RSA_AES_256_CBC_SHA1:32" is 32 8-bit bytes, or ":256" if expressed in bits. Exim's GnuTLS support was overhauled in 4.80 and has been improved since; the code in 4.74 only supports some old ciphersuites which will be increasingly limiting on today's Internet. I would not recommend those suites today. (History: when GnuTLS support was added to Exim, GnuTLS was missing some API features which would let it handle a lot of the feature tuning, so the Exim glue code did a lot of low-level tinkering itself. Over time, GnuTLS became more full-featured and so several years back we rewrote Exim's bindings to use the GnuTLS features. With newer Exim, you get TLS1.2 support and much more modern ciphers.) Be very _very_ careful with online documentation around TLS for such an old version of Exim. Make sure that you're looking at the documentation for _that_ version, not the current documentation. With newer Exim, run >> exim -d-all+dns -bV << to see the library versions of everything (the TLS library stuff is no longer shown by default). -Phil -- Cordiali Saluti / Best Regards Luciano Rinetti l.rine...@movimatica.com Mob. 335.7878.602 Movimatica S.r.l. www.movimatica.com - i...@movimatica.com __ sede Operativa: Centro Pier della Francesca Fabbricato 4, Scala P, 2° Piano C.so Svizzera, 185 - 10149 Torino - Italy Tel. +39 011 7767694 - Fax +39 011 746179 __ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Cipher suites identifier
On 2017-08-01 at 19:10 +0200, Luciano Rinetti wrote: > #exim -bV [...] > GnuTLS compile-time version: 2.8.6 > GnuTLS runtime version: 2.8.6 On 2017-08-05 at 11:09 +0200, Luciano Rinetti wrote: > #exim -bV > Exim version 4.74 #1 built 24-May-2011 20:35:05 [...] > GnuTLS compile-time version: 2.8.6 > GnuTLS runtime version: 2.8.6 Since you've reposted the exact same information four days later, I'm confused. The request for information was: } What it means ? Are GNUTLS encrypted sessions or OpenSSL encrypted } sessions ? I think that your reposting means that you didn't notice these lines in the output? So: they're GnuTLS connections. Exim supports _either_ OpenSSL _or_ GnuTLS. If you see one in the version output, then that is the TLS library provider in use. That's an old version of Exim, which pre-dates a bug-fix where for GnuTLS support we were reporting the size in bytes, not bits. So the ":32" at the end of "X=TLS1.0:RSA_AES_256_CBC_SHA1:32" is 32 8-bit bytes, or ":256" if expressed in bits. Exim's GnuTLS support was overhauled in 4.80 and has been improved since; the code in 4.74 only supports some old ciphersuites which will be increasingly limiting on today's Internet. I would not recommend those suites today. (History: when GnuTLS support was added to Exim, GnuTLS was missing some API features which would let it handle a lot of the feature tuning, so the Exim glue code did a lot of low-level tinkering itself. Over time, GnuTLS became more full-featured and so several years back we rewrote Exim's bindings to use the GnuTLS features. With newer Exim, you get TLS1.2 support and much more modern ciphers.) Be very _very_ careful with online documentation around TLS for such an old version of Exim. Make sure that you're looking at the documentation for _that_ version, not the current documentation. With newer Exim, run >> exim -d-all+dns -bV << to see the library versions of everything (the TLS library stuff is no longer shown by default). -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Cipher suites identifier
#exim -bV Exim version 4.74 #1 built 24-May-2011 20:35:05 Copyright (c) University of Cambridge, 1995 - 2007 Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 GnuTLS compile-time version: 2.8.6 GnuTLS runtime version: 2.8.6 Configuration file is /etc/exim4/exim4.conf On 2017-07-30 20:42, Heiko Schlittermann wrote: > Luciano Rinetti (So 30 Jul 2017 11:25:01 CEST): > … > > But in my log file(s) I never find sessions with hyphen separator, only with > > underscore, like: > > X=TLS1.0:RSA_AES_256_CBC_SHA1:32 > > > > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted sessions > > ? > > Without checking the source… I'd guess, the output depends on the TLS > library, your Exim is linked with. > > Check the output from exim -bV around line 5. > > For my understanding, there isn't such thing like a GNUTLS or OpenSSL > encrypted session. > > -- Cordiali Saluti / Best Regards Luciano Rinetti l.rine...@movimatica.com Mob. 335.7878.602 Movimatica S.r.l. www.movimatica.com __ sede Operativa: Centro Pier della Francesca Fabbricato 4, Scala P, 2° Piano C.so Svizzera, 185 - 10149 Torino - Italy Tel. +39 011 7767694 - Fax +39 011 746179 __ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Cipher suites identifier
#exim -bV Exim version 4.74 #1 built 24-May-2011 20:35:05 Copyright (c) University of Cambridge, 1995 - 2007 Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 GnuTLS compile-time version: 2.8.6 GnuTLS runtime version: 2.8.6 Configuration file is /etc/exim4/exim4.conf On 2017-07-30 20:42, Heiko Schlittermann wrote: > Luciano Rinetti (So 30 Jul 2017 11:25:01 CEST): > … > > But in my log file(s) I never find sessions with hyphen separator, only with > > underscore, like: > > X=TLS1.0:RSA_AES_256_CBC_SHA1:32 > > > > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted sessions > > ? > > Without checking the source… I'd guess, the output depends on the TLS > library, your Exim is linked with. > > Check the output from exim -bV around line 5. > > For my understanding, there isn't such thing like a GNUTLS or OpenSSL > encrypted session. > > -- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Cipher suites identifier
Luciano Rinetti (So 30 Jul 2017 11:25:01 CEST): … > But in my log file(s) I never find sessions with hyphen separator, only with > underscore, like: > X=TLS1.0:RSA_AES_256_CBC_SHA1:32 > > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted sessions > ? Without checking the source… I'd guess, the output depends on the TLS library, your Exim is linked with. Check the output from exim -bV around line 5. For my understanding, there isn't such thing like a GNUTLS or OpenSSL encrypted session. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Cipher suites identifier
Thank'you for the answer. This is the output: # exim -bV | grep 'Support' Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime On 2017-07-30 09:52, Jeremy Harris wrote: > On 30/07/17 10:25, Luciano Rinetti wrote: > > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted > > sessions ? > > > > will tell you which of the two TLS libraries your exim is compiled with. > -- > Cheers, > Jeremy > > -- Cordiali Saluti / Best Regards Luciano Rinetti l.rine...@movimatica.com Mob. 335.7878.602 Movimatica S.r.l. www.movimatica.com - i...@movimatica.com __ sede Operativa: Centro Pier della Francesca Fabbricato 4, Scala P, 2° Piano C.so Svizzera, 185 - 10149 Torino - Italy Tel. +39 011 7767694 - Fax +39 011 746179 __ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Cipher suites identifier
On 30/07/17 10:25, Luciano Rinetti wrote: > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted > sessions ? This command line: exim -bV | grep 'Support' will tell you which of the two TLS libraries your exim is compiled with. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/