; 172.29.198.161 ; 2001:ba8:1d9:a000::1:1 m4_dnl national
)
+## TLS certificate list.
+DEFCONF(certlist,
+<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
+<:CONF_sysconf_dir/server.certlist:>,
+<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
+ {${if match_ip{$sender_host_address}{+trusted} \
+ {server}{letsencrypt}}}}.certlist:>):>)
+
## TLS-related settings. We're assuming GNUTLS here, rather than OpenSSL.
## For local connections we are very strict. For random clients, we try
## fairly hard to encourage any kind of crypto on the grounds that probably
:+COMP-NULL<::>m4_dnl
)
DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
+:+VERS-TLS-ALL<::>m4_dnl
:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
+:+KX-ALL<::>m4_dnl
+:+SIGN-ALL<::>m4_dnl
+:+CTYPE-ALL<::>m4_dnl
:+CHACHA20-POLY1305<::>m4_dnl
:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
+:+CIPHER-ALL<::>m4_dnl
:+CURVE-X25519<::>m4_dnl
+:+CURVE-ALL<::>m4_dnl
:+AEAD<::>m4_dnl
-:+NORMAL<::>m4_dnl
+:+MAC-ALL<::>m4_dnl
+:+COMP-NULL<::>m4_dnl
:-MD5<::>m4_dnl
)