50-tls-options 2.68 KB
Newer Older
Steve Kemp's avatar
Added  
Steve Kemp committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# If Exim is compiled with support for TLS, you may want to enable the
# following options so that Exim allows clients to make encrypted
# connections. In the authenticators section below, there are template
# configurations for plaintext username/password authentication. This kind
# of authentication is only safe when used within a TLS connection, so the
# authenticators will only work if the following TLS settings are turned on
# as well.

# Allow any client to use TLS.

tls_advertise_hosts = *

# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
# the certificate and private key in the same file, in which case you only
# need the first setting, or in separate files, in which case you need both
# options.

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Log the TLS_SNI string when an email is accepted.

log_selector = +tls_sni

# Use the domain certificate, if there's a matching domain, and the certificate exists
# otherwise use the default certificate.

tls_certificate = \
    ${if and {\
                 { eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
                 { exists{/srv/$tls_in_sni/config/ssl/current/ssl.combined} }\
             }\
             {/srv/$tls_in_sni/config/ssl/current/ssl.combined}\
             {/etc/ssl/ssl.combined}\
     }

# "tls_privatekey" defaults to the value of tls_certificate, which is fine
# as we are using the combined certificate.
Steve Kemp's avatar
Added  
Steve Kemp committed
37
38
39
40
41
42
43
44
45
46
47
48

# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
# The standard port for this purpose is port 587, the "message submission"
# port. See RFC 4409 for details. Microsoft MUAs cannot be configured to
# talk the message submission protocol correctly, so if you need to support
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.

tls_on_connect_ports = 465

49
#
50
51
52
53
# Sensible set of TLS ciphers.  This is loosely based on the "intermediate"
# suite described at https://wiki.mozilla.org/Security/Server_Side_TLS.  RC4 is
# removed unless the connecting port is 25, so ancient remote mail servers
# don't break too badly.
54
#
Paul Cammish's avatar
Paul Cammish committed
55
56
57
tls_require_ciphers  = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:SECURE128:SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:\
                       -CURVE-SECP192R1:-CURVE-SECP224R1:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:\
                       -CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
58
                       ${if !eq{$received_port}{25}{:-ARCFOUR-128}}
59
60
61
62
63

#
# This stores the DH parameters in /var/spool/exim4/gnutls-dhparam-NNNN.
#
tls_dhparam = historic
64