Improve SMTP cipher selection

[chef.git] / cookbooks / exim / templates / default / exim4.conf.erb

diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index f4db98d06875f4d1c57d22dbff17dac4e811ab48..e0224872e5373bcf5802273c2a3bd2ddae495d04 100644 (file)
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -146,6 +146,10 @@ spamd_address = 127.0.0.1 783
 
 tls_advertise_hosts = <; !127.0.0.1 ; !::1
 
+# Configured TLS cipher selection.
+
+tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
+
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
 # the certificate and private key in the same file, in which case you only
@@ -657,6 +661,8 @@ begin transports
 
 remote_smtp:
   driver = smtp
+  multi_domain = false
+  tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
 
 
 # This transport is used for handling pipe deliveries generated by alias or