Sorry, there was an error in the patch. I added a few more options which may be of intrest:
+ $smtpd_tls_cipher_list = undef; # SSL_cipher_list + $smtpd_tls_version = undef; # SSL_version + $smtpd_tls_CAfile = undef; # SSL_ca_file + $smtpd_tls_honor_cipher_order = undef; # SSL_honor_cipher_order + $smtpd_dh_params_file = undef; # SSL_dh_file + + $smtp_tls_cipher_list = undef; # SSL_cipher_list + $smtp_tls_version = undef; # SSL_version + $smtp_tls_CAfile = undef; # SSL_client_ca_file For documentation of parameters see the IO::Socket::SSL man page. On Fri, Mar 20, 2015 at 03:07:34PM +0000, Grooz, Marc (regio iT) wrote: > Thank You! The ssl_cipher_list isn't respected by amavis especially with the > smtpd. Any idear? -- Markus Benning, https://markusbenning.de/
--- amavisd.orig 2015-03-17 16:17:09.000000000 +0100
+++ amavisd 2015-03-23 08:54:54.000000000 +0100
@@ -388,6 +388,8 @@
$smtp_connection_cache_on_demand $smtp_connection_cache_enable
$smtpd_recipient_limit
$smtpd_tls_cert_file $smtpd_tls_key_file
+ $smtpd_tls_cipher_list $smtpd_tls_version
+ $smtpd_tls_CAfile $smtpd_tls_honor_cipher_order $smtpd_dh_params_file
$enforce_smtpd_message_size_limit_64kb_min
$MAXLEVELS $MAXFILES
$MIN_EXPANSION_QUOTA $MIN_EXPANSION_FACTOR
@@ -407,6 +409,8 @@
@dkim_signing_keys_list @dkim_signing_keys_storage
$file $altermime $enable_anomy_sanitizer
)],
+ 'tls_client' => [qw( $smtp_tls_cipher_list $smtp_tls_version
+ $smtp_tls_CAfile)],
'sa' => # global SpamAssassin settings
[qw(
$spamcontrol_obj $sa_num_instances
@@ -512,7 +516,8 @@
)],
);
Exporter::export_tags qw(dynamic_confvars confvars sa platform
- hidden_confvars legacy_dynamic_confvars legacy_confvars);
+ hidden_confvars legacy_dynamic_confvars legacy_confvars
+ tls_client );
1;
} # BEGIN
@@ -1013,6 +1018,17 @@
$smtpd_tls_cert_file = undef; # e.g. "$MYHOME/cert/amavisd-cert.pem"
$smtpd_tls_key_file = undef; # e.g. "$MYHOME/cert/amavisd-key.pem"
+ # see https://metacpan.org/pod/distribution/IO-Socket-SSL/lib/IO/Socket/SSL.pod#SSL_version
+ $smtpd_tls_cipher_list = undef; # SSL_cipher_list
+ $smtpd_tls_version = undef; # SSL_version
+ $smtpd_tls_CAfile = undef; # SSL_ca_file
+ $smtpd_tls_honor_cipher_order = undef; # SSL_honor_cipher_order
+ $smtpd_dh_params_file = undef; # SSL_dh_file
+
+ $smtp_tls_cipher_list = undef; # SSL_cipher_list
+ $smtp_tls_version = undef; # SSL_version
+ $smtp_tls_CAfile = undef; # SSL_client_ca_file
+
$dkim_minimum_key_bits = 1024; # min acceptable DKIM key size (in bits)
# for whitelisting
@@ -7934,7 +7950,7 @@
use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
$VERSION = '2.404';
@ISA = qw(Exporter);
- import Amavis::Conf qw(:platform);
+ import Amavis::Conf qw(:platform :tls_client);
import Amavis::Util qw(ll do_log min max minmax idn_to_ascii);
}
@@ -8389,6 +8405,12 @@
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+ defined $smtp_tls_version ?
+ ( SSL_version => $smtp_tls_version ) : (),
+ defined $smtp_tls_cipher_list ?
+ ( SSL_cipher_list => $smtp_tls_cipher_list ) : (),
+ defined $smtp_tls_CAfile ?
+ ( SSL_client_ca_file => $smtp_tls_CAfile ) : (),
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
$self->{last_event} = 'ssl-upgrade';
@@ -21943,6 +21965,16 @@
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
+ defined $smtpd_tls_version ?
+ ( SSL_version => $smtpd_tls_version ) : (),
+ defined $smtpd_tls_cipher_list ?
+ ( SSL_cipher_list => $smtpd_tls_cipher_list ) : (),
+ defined $smtpd_tls_CAfile ?
+ ( SSL_ca_file => $smtpd_tls_CAfile ) : (),
+ defined $smtpd_tls_honor_cipher_order ?
+ ( SSL_honor_cipher_order => $smtpd_tls_honor_cipher_order ) : (),
+ defined $smtpd_dh_params_file ?
+ ( SSL_dh_file => $smtpd_dh_params_file ) : (),
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
if ($self->{smtp_inpbuf} ne '') {
signature.asc
Description: Digital signature
