base.m4, exchange.m4, config.m4: Tweak TLS settings.

Mobile devices object to (a) lack of SHA1, (b) lack of TLSv1.0, and (c)
very large (as they see it) Diffie--Hellman groups.  Fix these things,
grudgingly.

diff --git a/base.m4 b/base.m4
index f1701d1..3b3d82f 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -250,7 +250,7 @@ smtp_local:
        tls_privatekey = CONF_sysconf_dir/client.key
        tls_verify_certificates = CONF_ca_dir/ca.cert
        tls_require_ciphers = CONF_good_ciphers
-       tls_dh_min_bits = 3070
+       tls_dh_min_bits = 2046
        tls_tempfail_tryclear = false
        authenticated_sender = ${if def:authenticated_id \
                                    {$authenticated_id@CONF_master_domain} \

diff --git a/config.m4 b/config.m4
index 4678f20..d84f648 100644 (file)
--- a/config.m4
+++ b/config.m4
@@ -67,10 +67,10 @@ DEFCONF(relay_clients, +trusted)
 ## fairly hard to encourage any kind of crypto on the grounds that probably
 ## nobody can verify our certificate anyway.
 DEFCONF(good_ciphers, NONE<::>m4_dnl
-:+VERS-TLS1.2:+VERS-TLS1.1<::>m4_dnl
+:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
 :+DHE-RSA:+DHE-DSS<::>m4_dnl
 :+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256<::>m4_dnl
+:+SHA256:+SHA384:+SHA512:+SHA1<::>m4_dnl
 :+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
 :+CTYPE-X.509<::>m4_dnl
 :+COMP-NULL<::>m4_dnl

diff --git a/exchange.m4 b/exchange.m4
index 00f0b05..ee27e3c 100644 (file)
--- a/exchange.m4
+++ b/exchange.m4
@@ -31,7 +31,7 @@ SECTION(global, tls)m4_dnl
 tls_certificate = CONF_sysconf_dir/server.cert
 tls_privatekey = CONF_sysconf_dir/server.key
 tls_advertise_hosts = *
-tls_dhparam = CONF_ca_dir/dh-param.pem
+tls_dhparam = CONF_ca_dir/dh-param-2048.pem
 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
                               {match_ip {$sender_host_address}{+trusted}}} \
                           {CONF_good_ciphers} \