Viktor Dukhovni via Exim-users writes > If you have access to a computer with OpenSSL 3.5 (or later) you can > check your server with: > > $ host=your.server-fqdn.example > $ (sleep 2; printf 'QUIT\r\n') | > openssl s_client -starttls smtp -connect $host:25 \ > -groups "*X25519MLKEM768:*X25519:P-256:ffdhe3072" -state -brief
Thank you for this. I went ahead with a test host=helos.openlib.org (sleep 2; printf 'QUIT\r\n') | openssl s_client -starttls smtp -connect $host:25 -groups "*X25519MLKEM768:*X25519:P-256:ffdhe3072" -state -brief yields Connecting to 95.216.245.19 SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello SSL_connect:TLSv1.3 read encrypted extensions depth=0 CN=openlib.org verify error:num=10:certificate has expired notAfter=Aug 11 03:22:54 2025 GMT notAfter=Aug 11 03:22:54 2025 GMT SSL_connect:SSLv3/TLS read server certificate SSL_connect:TLSv1.3 read server certificate verify SSL_connect:SSLv3/TLS read finished SSL_connect:SSLv3/TLS write change cipher spec SSL_connect:SSLv3/TLS write finished CONNECTION ESTABLISHED Protocol version: TLSv1.3 Ciphersuite: TLS_AES_256_GCM_SHA384 Peer certificate: CN=openlib.org Hash used: SHA256 Signature type: ecdsa_secp256r1_sha256 Verification error: certificate has expired Peer Temp Key: X25519, 253 bits 250 HELP DONE SSL3 alert write:warning:close notify I run a plain vanilla "debian testing" box where I run my email. These certificates are self-signed and are not rotated I guess. I do have letsencrypt DNS wildcard certificates for my openlib.org, and they are rotated, but I have not made use of them in exim, and I have not seen an instruction set on how to do this. I suspect I am not the only amateurish little eximician like this. I pointer to a good resource on what to do would be much welcome. -- Written by Thomas Krichel http://openlib.org/home/krichel on his 22059th day. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
