After a recent update I find lots (too many) of errors in my exim mainlog, claiming there is no shared cipher available for setting up a SSL connection.
This is causing issues with emails for my clients not being delivered at my server.
Receiving one such message via an alternate channel, I could inspect the message headers of the message which could not be delivered at my server, and I can confirm that the sending server is supporting TLS1.2, but does not support any of the ciphers which are available by default to exim.
I have created a file /etc/exim.variables.conf.custom and inserted the following line:
(copied the line from /etc/exim.variables.conf and added the last two ciphers)
This solved most of the issues, 95% less of the 'no shared cipher' messages, but still some are left in my logs.
Is there a way to find out which SSL/TLS level the failing servers are supporting, and/or which ciphers they do support from any of my log files?
And would it be an idea to be a little less restrictive on what we can support by default for ciphers in DirectAdmin / Exim ?
Or is there a good reason for not supporting ECDHE-RSA-AES128-SHA256 & ECDHE-RSA-AES256-SHA384 ??
KInd regards,
Jorge.
This is causing issues with emails for my clients not being delivered at my server.
Receiving one such message via an alternate channel, I could inspect the message headers of the message which could not be delivered at my server, and I can confirm that the sending server is supporting TLS1.2, but does not support any of the ciphers which are available by default to exim.
I have created a file /etc/exim.variables.conf.custom and inserted the following line:
Code:
tls_require_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY130:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
This solved most of the issues, 95% less of the 'no shared cipher' messages, but still some are left in my logs.
Is there a way to find out which SSL/TLS level the failing servers are supporting, and/or which ciphers they do support from any of my log files?
And would it be an idea to be a little less restrictive on what we can support by default for ciphers in DirectAdmin / Exim ?
Or is there a good reason for not supporting ECDHE-RSA-AES128-SHA256 & ECDHE-RSA-AES256-SHA384 ??
KInd regards,
Jorge.