openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes
openssl dhparam -out exim.dhparam 1024
The DH key is optional
Edit your Exim's configuration file, adding the following lines:
# # Enable TLS with strong ciphers # MAIN_TLS_ENABLE = true openssl_options = -all +no_sslv2 +no_sslv3 +no_compression +cipher_server_preference tls_certificate = /etc/exim/exim.crt tls_privatekey = /etc/exim/exim.key tls_dhparam = /etc/exim/exim.dhparam tls_advertise_hosts = * # Preference: all the EC and GCM first then degrade gracefully. tls_require_ciphers = kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS # Advertise auth to TLS sessions only. auth_advertise_hosts = ${if eq {$tls_in_cipher}{}{}{*}}
If tls_dhparam is set, the SSL library is initialized for the use of Diffie-Hellman ciphers with the parameters contained in the file. Set this to none to disable use of DH entirely, by making no prime available:
The ciphers could be set as something like:
tls_require_ciphers = ${if =={$received_port}{25}\ {DEFAULT}\ {HIGH:!MD5:!SHA1}}
# Use this command to check the ciphers that openssl supports:
openssl ciphers 'HIGH:!MD5:!SHA1'
During run-time mainlog entries showing TLS:
2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 issued STARTTLS 2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 using SSL/TLS cipher: TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Is generated by part of my config:
### ### acl_start_tls: This access control list reports client used STARTTLS ### acl_start_tls: accept logwrite = CRYPTO: Client $sender_host_address:$sender_host_port issued STARTTLS ### ### acl_check_helo: check the HELO/EHLO ### acl_check_helo: # # Report TLS status. # warn condition = ${if def:tls_in_cipher {1}{0}} logwrite = CRYPTO: Client $sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher