base.m4: Be slacker about DH lengths.

Reduce the minimum size for general outbound SMTP to about 512 bits,
because (a) any DH is better than none, and (b) Exim will defer rather
than switching to plaintext if the receiving SMTP advertises STARTTLS.

Also introduce new transports with lower limits, and be consistent about
actually undershooting the advertised limit by four bits.

diff --git a/base.m4 b/base.m4
index 25328e7..e78194a 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -418,7 +418,7 @@ smtp:
        driver = smtp
        APPLY_HEADER_CHANGES
        tls_require_ciphers = CONF_acceptable_ciphers
-       tls_dh_min_bits = 1020
+       tls_dh_min_bits = 508
        tls_tempfail_tryclear = true
 
 m4_define(<:SMTP_TRANS_DHBITS:>,
@@ -441,10 +441,14 @@ m4_define(<:SMTP_TRANS_DHBITS:>,
                      {CONF_acceptable_ciphers})
        tls_dh_min_bits = $1
        tls_tempfail_tryclear = true:>)m4_dnl
+smtp_dhbits_512:
+       SMTP_TRANS_DHBITS(508)
+smtp_dhbits_768:
+       SMTP_TRANS_DHBITS(764)
 smtp_dhbits_1024:
        SMTP_TRANS_DHBITS(1020)
 smtp_dhbits_2048:
-       SMTP_TRANS_DHBITS(2046)
+       SMTP_TRANS_DHBITS(2044)
 
 ## Transport to a local SMTP server; use TLS and perform client
 ## authentication.