Wiki

User Tools

Site Tools

Trace:
exim4:tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
exim4:tls [2016/11/30 12:13] – created peterexim4:tls [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Exim4 - TLS ====== ====== Exim4 - TLS ======
- 
-Generate your keys.  
- 
-first switch to cd /etc 
  
 ===== Generate a 1024-bit RSA key ===== ===== Generate a 1024-bit RSA key =====
  
 <code bash> <code bash>
-openssl req -x509 -newkey rsa:1024 -keyout eximrsa.key -out eximrsa.cert -days 9999 -nodes +openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes 
 </code> </code>
  
Line 15: Line 11:
  
 <code bash> <code bash>
-openssl dhparam -out eximdeffie.key 1024 +openssl dhparam -out exim.dhparam 1024 
 </code> </code>
  
-The DH key is not required.+The DH key is optional
  
 +
 +===== Update Exim Config =====
  
 Edit your Exim's configuration file, adding the following lines: Edit your Exim's configuration file, adding the following lines:
  
 <file> <file>
-tls_advertise_hosts = *  
- 
  
 # Enable TLS with strong ciphers  # Enable TLS with strong ciphers 
Line 47: Line 43:
 </file> </file>
  
-#************************+<WRAP info> 
 +If tls_dhparam is set, the SSL library is initialized for the use of Diffie-Hellman ciphers with the parameters contained in the file.  Set this to none to disable use of DH entirely, by making no prime available: 
 +</WRAP> 
 + 
 +<WRAP info> 
 +The ciphers could be set as something like: 
 + 
 +<code> 
 +tls_require_ciphers = ${if =={$received_port}{25}\ 
 +                           {DEFAULT}\ 
 +                           {HIGH:!MD5:!SHA1}} 
 +</code> 
 + 
 +Use this command to check the ciphers that openssl supports: 
 + 
 +<code bash> 
 +openssl ciphers 'HIGH:!MD5:!SHA1' 
 +</code> 
 +</WRAP> 
 +===== Logging =====
  
 During run-time mainlog entries showing TLS:  During run-time mainlog entries showing TLS: 
Line 63: Line 78:
 ### acl_start_tls: This access control list reports client used STARTTLS  ### acl_start_tls: This access control list reports client used STARTTLS 
 ###  ### 
- 
  
 acl_start_tls: acl_start_tls:
-         accept  logwrite = CRYPTO: Client  +  accept  logwrite = CRYPTO: Client $sender_host_address:$sender_host_port issued STARTTLS
-$sender_host_address:$sender_host_port issued STARTTLS +
  
  
Line 77: Line 89:
 acl_check_helo:  acl_check_helo: 
  
- +  
-         +  Report TLS status. 
-         report TLS status +  
-         +  warn    condition = ${if def:tls_in_cipher {1}{0}} 
-         warn    condition = ${if def:tls_in_cipher {1}{0}} +          logwrite = CRYPTO: Client $sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher
-                 logwrite = CRYPTO: Client  +
-$sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher+
  
 </file> </file>
 +
exim4/tls.1480508007.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki