Table of Contents

Exim4 - TLS

Generate a 1024-bit RSA key

openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes 

Generate a 1024-bit Diffie-Hellman key

openssl dhparam -out exim.dhparam 1024 

The DH key is optional

Update Exim Config

Edit your Exim's configuration file, adding the following lines:

# 
# Enable TLS with strong ciphers 
# 
MAIN_TLS_ENABLE = true 

openssl_options = -all +no_sslv2 +no_sslv3 +no_compression 
+cipher_server_preference 

tls_certificate = /etc/exim/exim.crt 
tls_privatekey = /etc/exim/exim.key 
tls_dhparam = /etc/exim/exim.dhparam 
tls_advertise_hosts = * 

# Preference: all the EC and GCM first then degrade gracefully.
tls_require_ciphers = 
kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS

# Advertise auth to TLS sessions only.
auth_advertise_hosts = ${if eq {$tls_in_cipher}{}{}{*}} 

If tls_dhparam is set, the SSL library is initialized for the use of Diffie-Hellman ciphers with the parameters contained in the file. Set this to none to disable use of DH entirely, by making no prime available:

The ciphers could be set as something like:

tls_require_ciphers = ${if =={$received_port}{25}\
                           {DEFAULT}\
                           {HIGH:!MD5:!SHA1}}

# Use this command to check the ciphers that openssl supports:

openssl ciphers 'HIGH:!MD5:!SHA1'

Logging

During run-time mainlog entries showing TLS:

2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 issued STARTTLS 
2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 using SSL/TLS 
cipher: TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 

Is generated by part of my config:

### 
### acl_start_tls: This access control list reports client used STARTTLS 
### 

acl_start_tls:
  accept  logwrite = CRYPTO: Client $sender_host_address:$sender_host_port issued STARTTLS


### 
### acl_check_helo: check the HELO/EHLO 
### 

acl_check_helo: 

  #
  # Report TLS status.
  #
  warn    condition = ${if def:tls_in_cipher {1}{0}}
          logwrite = CRYPTO: Client $sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher