5

I'm running an Exim MTA which only receives emails from a few other systems under my control. All these systems happily negotiate TLSv1.2/TLSv1.3 with my MTA. I would like to disable support for TLSv1.0 and TLSv1.1 but I can't find instructions on how to do so.

All software is installed from the official Debian 10 repository (Exim 4.92, GnuTLS 3.6.6).

Martin Konrad
  • 2,090
  • 2
  • 16
  • 32

3 Answers3

2

Add the following line to this file /etc/exim4/exim4.conf.template somewhere like in the TLS section (or as described here):

tls_require_ciphers = SECURE192:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-DTLS0.9:!VERS-DTLS1.0

  • Restart/reload exim with sudo systemctl restart exim4.

  • Verify the exim settings updated with sudo exim -bP | grep tls_require_ciphers.

For further reading on tls_require_ciphers see here.

site
  • 121
  • 3
1

GnuTLS options in Exim

See the bit about using tls_require_ciphers and the GnuTLS priority string definitions. The example which pertains to you is:

tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0

... which you could further tweak to suit your own requirements.

AdminBee
  • 21,637
  • 21
  • 47
  • 71
Greem
  • 31
  • 3
0

Add a line like this to the config file. Edit it for your required and unrequired ciphers.

# We need to disable SSL2 and key lengths < 128 bits for PCI compliance
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SHA:!MD5:!LOW:!SSLv2:!EXP:!DES
birdwes
  • 27
  • 4
  • Note that I would like to disable old _protocol_ versions which is an orthogonal problem to disabling ciphers. – Martin Konrad Jul 10 '20 at 01:59
  • "to the config file", which one? Exim is the absolute worst in documenting where config should go, I've been reading for a full hour in their docs, but it's still unclear. – Julius Feb 28 '23 at 16:25