-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Folks, sorry this isn't threading: I subscribed to this list to post after being pointed by Viktor at:
http://archives.neohapsis.com/archives/postfix/2013-09/0003.html http://archives.neohapsis.com/archives/postfix/2013-09/0015.html For interop and to counter accidental misinformation, I'll clarify some Exim points here. If anyone wants any further guidance for Exim, I suggest that exim-users is the place to start, and that postfix-users only be used for interop debugging on this particular issue if the list veterans are happy with that. I'll try to hang around for a few days for any follow-up (but am "rather busy" right now, so replies won't be prompt). https://lists.exim.org/mailman/listinfo/exim-users Exim does not itself set a minimum length of 2048 bits for EDH; *if* Exim is built against GnuTLS (instead of OpenSSL), then the GnuTLS defaults will, by default, be applied to connections. As the GnuTLS library is rebuilt on newer versions, new default values chosen by GnuTLS will apply to Exim: rather than impose cryptographic policy, we prefer/try to accept the policy from the library as defaults, and provide configuration options to let the site operator override. The only place Exim chooses a value which might match 2048 relating to DH is when generating fresh server-side parameters, as the default size to generate, if not told otherwise; the actual value is: gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL) but clamped down to a maximum of 2236, to avoid interop issues with NSS clients such as Thunderbird, because until fairly recently NSS did not support larger sizes and would hard-error. Assuming an Exim version of at least 4.80, then the Exim option tls_require_ciphers is interpreted, for GnuTLS, as a Priority String; those are documented at: http://gnutls.org/manual/html_node/Priority-Strings.html Note that Exim has tls_require_ciphers both as a main section configuration option, applying to Exim-as-server, and as an option on SMTP Transports, applying to Exim-as-client. It's been a while since I touched the GnuTLS integration and I don't currently have time to test/experiment and confirm, but I believe that overriding the GnuTLS library defaults to tell it "Weak" should be sufficient to get Exim happy to talk with smaller DH values. More documentation on Exim's TLS handling can be found at: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html Regards, - -Phil, p...@exim.org and one of the last two people to touch the GnuTLS and OpenSSL integration in Exim -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlIju5oACgkQQDBDFTkDY39HkwCeObzhmF7IxL4XuCB9mfCNoKxs hbEAoJVh15uHfpDnl2siOcJv9/QXqv9O =e03D -----END PGP SIGNATURE-----
