Mobile devices object to (a) lack of SHA1, (b) lack of TLSv1.0, and (c)
very large (as they see it) Diffie--Hellman groups. Fix these things,
grudgingly.
tls_privatekey = CONF_sysconf_dir/client.key
tls_verify_certificates = CONF_ca_dir/ca.cert
tls_require_ciphers = CONF_good_ciphers
- tls_dh_min_bits = 3070
+ tls_dh_min_bits = 2046
tls_tempfail_tryclear = false
authenticated_sender = ${if def:authenticated_id \
{$authenticated_id@CONF_master_domain} \
## fairly hard to encourage any kind of crypto on the grounds that probably
## nobody can verify our certificate anyway.
DEFCONF(good_ciphers, NONE<::>m4_dnl
-:+VERS-TLS1.2:+VERS-TLS1.1<::>m4_dnl
+:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
:+DHE-RSA:+DHE-DSS<::>m4_dnl
:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256<::>m4_dnl
+:+SHA256:+SHA384:+SHA512:+SHA1<::>m4_dnl
:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
:+CTYPE-X.509<::>m4_dnl
:+COMP-NULL<::>m4_dnl
tls_certificate = CONF_sysconf_dir/server.cert
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = *
-tls_dhparam = CONF_ca_dir/dh-param.pem
+tls_dhparam = CONF_ca_dir/dh-param-2048.pem
tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
{match_ip {$sender_host_address}{+trusted}}} \
{CONF_good_ciphers} \