cannot allow TLS1.0, TLS1.1 in exim

[Hetzner DirectAdmin]

Where? As far as I know only TLS 1.0 and 1.1 was deprecated, TLS 1.2 is used all over still.

Ok, I think I got confused that might have been 1.1 I was referring to.

If I may ask a quick question.

Referring to the DKIM Selector modification, to make a very minor change to /etc/exim.variables.conf.default
will the change be overwritten?

or do I have to do the change in /etc/exim.variables.conf.custom ?

This is one my last hurdle in the DA setup, but it is for personal reasons.

I tried:

nano /usr/local/directadmin/conf/directadmin.conf
then add
minimumtls=v1_1

Then i tried to edit the /etc/exim.variables.conf.default

openssl_options = removing +no_tlsv1_1

Then rebuild but it overwrote my config

So I guess I have to do the custom build thingy?

 

[Hetzner DirectAdmin]

cp /etc/exim.variables.conf /etc/exim.variables.conf.custom
(make your changes)
da build exim
da build exim_conf


That seems to have done it... for now

 

[Richard G]

You're on the right track, but as for the exim.variables.conf.custom file, you only need to add what you want to change compared to the default.
Otherwise you might miss important updates of the other things.

So in the /etc/exim.variables.conf.custom juist copy the line you want to change, make the change, save and then build exim and exim.conf as you did.

nano /usr/local/directadmin/conf/directadmin.conf
then add
minimumtls=v1_1

There is no such setting for directadmin as far as I'm aware. There is a tls_min_version setting but that is only valid for tls 12 and 13.

That seems to have done it... for now

That's good news for you although every client I know understands TLS 1.2 so no need to go down to 1.1.
But still I would advise to use only the applicable line in the custom file.

 

[Hetzner DirectAdmin]

That's good news for you although every client I know understands TLS 1.2 so no need to go down to 1.1.

The thing is that I have a de-googled mobile phone running android 4.4.4 and K9 Mail version 5.2 which has been working fantastic since 2014.

Then in August, my Irish web hosting provider decided to sell its email hosting service to TITAN UK ("no more GPDR") and they locked down either TLS1_1 or some ciphers, so I can't connect to their servers.

Luckily, I found mxRoute (USA) which uses DA and that has saved me from having to buy a new phone (which US versions are locked down this summer for rooting purposes)

Now I am trying to have my own Hetzner instance (got my GPDR back yaay) so I can host my own personal emails, and, of course this newer DA is locking me out.

I hope it is TLS1_1, but the changes I made still don't work. It might be the choice of ciphers.

But I can not find anything in the DA Panel logs like EXIM Panic or EXIM Reject.

Long story short I love my old phone, I have 5 of them and 20 backup batteries. So throwing my "old" technology away to get a new one is just out of the question for me.

I find these new phones to be really creepy LOL, people just seem to be addicted to them everywhere I go !

 

[Hetzner DirectAdmin]

Having said that, Office 2007 Service Pack 3 works on mxRoute and also my new DA Instance out of the box without making changes, So I don't have to get rid of my Windows 7 environments. I find Windows 10 to be a bit creepy, and I am hearing all sorts of YouTube stories about this new super awesome AI Windows 11 TPM "protection". All this protection reminds me of that Mafia guy on the Simpsons.

Anyhoo, all I need to do now is achieve mobile phone access.

I get 100 emails a month, if even. And when they come into IMAP, I just copy them onto my local Outlook archive so IMAP usually stays empty.

I am not worried about vulnerability. I just want to have the tools mankind built just before the 2020 ERA kicked in

 

[Richard G]

I hope it is TLS1_1, but the changes I made still don't work. It might be the choice of ciphers.

That's very well possible. As said the setting you made in the directadmin.conf does not exist zo you can remove it.

There is another setting in the custombuild configuration which is ssl_configuration=intermediate which can be set to old.

Overview | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

You can set this setting to old, then update custombuild and rebuild exim and exim.conf and then old ciphers should be used again too.
However, I've read somewhere this would not affect Dovecot, so I'm not 100% sure.

Maybe @zEitEr has a clue on how to enable 1.0/1.1 again for mail. I can't find it anymore on the forums if it's not this option.

Office 2007 Service Pack 3 works on mxRoute

I know, I even have a sister still working with 2003 and working fine with our servers, so with TLS 1.2. But we also still have port 587 active with just only password authentication and no tls/ssl required. I don't know if that is an option for you.