====== Exim4 - TLS ======

===== Generate a 1024-bit RSA key =====

<code bash>
openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes 
</code>


===== Generate a 1024-bit Diffie-Hellman key =====

<code bash>
openssl dhparam -out exim.dhparam 1024 
</code>

The DH key is optional


===== Update Exim Config =====

Edit your Exim's configuration file, adding the following lines:

<file>
# 
# Enable TLS with strong ciphers 
# 
MAIN_TLS_ENABLE = true 

openssl_options = -all +no_sslv2 +no_sslv3 +no_compression 
+cipher_server_preference 

tls_certificate = /etc/exim/exim.crt 
tls_privatekey = /etc/exim/exim.key 
tls_dhparam = /etc/exim/exim.dhparam 
tls_advertise_hosts = * 

# Preference: all the EC and GCM first then degrade gracefully.
tls_require_ciphers = 
kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS

# Advertise auth to TLS sessions only.
auth_advertise_hosts = ${if eq {$tls_in_cipher}{}{}{*}} 
</file>

<WRAP info>
If tls_dhparam is set, the SSL library is initialized for the use of Diffie-Hellman ciphers with the parameters contained in the file.  Set this to none to disable use of DH entirely, by making no prime available:
</WRAP>

<WRAP info>
The ciphers could be set as something like:

<code>
tls_require_ciphers = ${if =={$received_port}{25}\
                           {DEFAULT}\
                           {HIGH:!MD5:!SHA1}}
</code>

# Use this command to check the ciphers that openssl supports:

<code bash>
openssl ciphers 'HIGH:!MD5:!SHA1'
</code>
</WRAP>
===== Logging =====

During run-time mainlog entries showing TLS: 

<code>
2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 issued STARTTLS 
2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 using SSL/TLS 
cipher: TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 
</code>

Is generated by part of my config: 

<file>
### 
### acl_start_tls: This access control list reports client used STARTTLS 
### 

acl_start_tls:
  accept  logwrite = CRYPTO: Client $sender_host_address:$sender_host_port issued STARTTLS


### 
### acl_check_helo: check the HELO/EHLO 
### 

acl_check_helo: 

  #
  # Report TLS status.
  #
  warn    condition = ${if def:tls_in_cipher {1}{0}}
          logwrite = CRYPTO: Client $sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher

</file>