On Sun, May 25, 2025 at 12:54:29PM +0100, Mike Cardwell via Exim-users wrote:
> > How to disable depracated protocols Tls 1 and tls 1.1 and enable only > > strong protocols > > I don't know what the generally accepted config is for SMTP TLS these > days, but bear in mind that a connecting MTA may decide to fall back to > plain text if it can't agree a protocol/cipher with you. I'd rather > have mail sent over TLS 1 than over plain text. Might be worth checking > your logs first to see what protocols are in use. You might need to > turn on some tls logging options first though. I have these in my > log_selector: +tls_peerdn +tls_certificate_verified +tls_cipher > +tls_sni. See > https://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html That'd be my advice also. There are no significant issues with TLS 1.0 or 1.1 that are relevant to SMTP, especially when TLS is opportunistic. That said, systems that can't do TLS 1.2 or 1.3 are quire rare these days, so the impact of turning these off is by now likely negligible for most users. Unless one has on-prem equipment that only supports TLS 1.0, turning off TLS 1.0 and 1.1 should be fine. OpenSSL has a "minProtocol feature, I don't know whether exim exposes controls for that. If not, it can be set system-wide in "openssl.cnf". openssl_conf = default_settings # ----- [default_settings] ssl_conf = default_ssl_settings [default_ssl_settings] system_default = ssl_init_settings [ssl_init_settings] MinProtocol = TLSv1.2 ... -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
