Hi, Dňa Tue, 23 Aug 2022 12:33:47 +0200 Carsten Schiefner via mailop <mailop@mailop.org> napísal:
> would you mind reporting back then and to share that particular exim > config snippet that does the trick? No problem ;-) It is really simple. The exim's specs (4.94.2) says: For dual-stack (eg. RSA and ECDSA) configurations, these options can be colon-separated lists of file paths. Ciphers using given authentication algorithms require the presence of a suitable certificate to supply the public-key. The server selects among the certificates to present to the client depending on the selected cipher, hence the priority ordering for ciphers will affect which certificate is used. I understand specs, that the first suitable cert/key pair will be used, if client supports both, thus order depends on your preference. All what is needed is (to prefer EC pair): tls_certificate = /pathto/eccert : /pathto/rsacert tls_privatekey = /pathto/eckey : /pathto/rsakey Only make sure, that the order of RSA/EC files is the same in both options, as in example. I use more complicated lookup based on SNI name, but it basically returns strings as above. I setup it on my MSA yet, and it seems to work, at least my tests was success, internal mail flows and password attacks doesn't stop ;-) BTW, please know someone what the attackers try to achieve with empty login name? Is it some known bug in some setups, or only mistake in their script? regards -- Slavko https://www.slavino.sk
pgpubDmV3_cbA.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
