X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/1df2595e16dd591d27c4089f19dac493f638d3ca..5a72d0f31f02b3bac0725604a178e50713a1cbaf:/config.m4

diff --git a/config.m4 b/config.m4
index ada2909..981f672 100644
--- a/config.m4
+++ b/config.m4
@@ -73,7 +73,19 @@ DEFCONF(user_suffix_list, +* : -*)
 DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
 
 ## Other hosts allowed to relay mail through us.
-DEFCONF(relay_clients, <; +trusted ; 172.29.80.8)
+DEFCONF(relay_clients, <m4_dnl
+; +trusted m4_dnl
+; 172.31.80.8 m4_dnl chiark (VPN)
+; 172.29.198.161 ; 2001:ba8:1d9:a000::1:1 m4_dnl national
+)
+
+## TLS certificate list.
+DEFCONF(certlist,
+<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
+<:CONF_sysconf_dir/server.certlist:>,
+<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
+			{${if match_ip{$sender_host_address}{+trusted} \
+				      {server}{letsencrypt}}}}.certlist:>):>)
 
 ## TLS-related settings.  We're assuming GNUTLS here, rather than OpenSSL.
 ## For local connections we are very strict.  For random clients, we try
@@ -81,14 +93,31 @@ DEFCONF(relay_clients, <; +trusted ; 172.29.80.8)
 ## nobody can verify our certificate anyway.
 DEFCONF(good_ciphers, NONE<::>m4_dnl
 :+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
-:+DHE-RSA:+DHE-DSS<::>m4_dnl
-:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256:+SHA384:+SHA512:+SHA1<::>m4_dnl
-:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
+:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
+:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
+:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
+:+SIGN-DSA-SHA256<::>m4_dnl
+:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
 :+CTYPE-X.509<::>m4_dnl
 :+COMP-NULL<::>m4_dnl
 )
-DEFCONF(acceptable_ciphers, NORMAL<::>m4_dnl
+DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
+:+VERS-TLS-ALL<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
+:+KX-ALL<::>m4_dnl
+:+SIGN-ALL<::>m4_dnl
+:+CTYPE-ALL<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
+:+CIPHER-ALL<::>m4_dnl
+:+CURVE-X25519<::>m4_dnl
+:+CURVE-ALL<::>m4_dnl
+:+AEAD<::>m4_dnl
+:+MAC-ALL<::>m4_dnl
+:+COMP-NULL<::>m4_dnl
 :-MD5<::>m4_dnl
 )