How to Disable TLS 1.0 and 1.1 For Exim?
wolveix opened this issue · 3 comments
Hi!
Really appreciate your hard work in building out this image, it made deployment a breeze for us :)
We need to disable the use of TLS 1.0 and 1.1 for our deployment (specifically for port 465), as they fail our compliance checks. It doesn't seem that Exim is using the /etc/ssl/openssl/cnf config (which specifies MinProtocol = TLSv1.2). It looks like Exim may use gnuTLS instead, though there isn't an existing config for this that I could find. Attempts to create this manually /etc/gnutls/config with the relevant config values inside didn't appear to make a difference.
I could be completely off base with what I've tried so far, so would really appreciate some guidance on how I might go about resolving this.
Thanks in advance!
Thanks for your feedback!
You're absolutely right; Exim4 in Debian defaults to using GnuTLS instead of OpenSSL. To obtain details about the Exim version in use, along with its build options and TLS library, you can execute a simple command in Docker:
docker run --rm --name mailman -d d3fk/mailman2 && \
docker exec mailman exim -bV && \
docker stop mailman From the output, we can confirm that our Exim version (currently 4.92) is built with GnuTLS support.
To check the TLS version used by Exim, you can use, for example, OpenSSL with the following command:
openssl s_client -connect your.mail.server.address:25 -starttls smtpIIn the output, seek a line starting with "Protocol," which denotes the TLS version being used. With our current d3fk/mailman2:latest container, you should typically encounter Protocol : TLSv1.2 or TLSv1.3, depending on how your configuration is set up.
To explicitly restrict the usage of TLS versions to TLS>= TLSv1.2, it's necessary to update the Exim4 configuration. Within this container, Debian's Exim4 configuration is divided across numerous files located in /etc/exim4/conf.d/, subsequently merged into a single file by executing the update-exim4.conf command. The files therein are concatenated in alphabetical order. For tailor-made configurations, we recommend naming your files with a prefix like 00_ (for example, 00_exim4-my-config) to ensure they're processed first.
For example, to disable older versions of TLS, you might add the following parameter:
# Disable older versions of protocols
tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0For further details on Exim4 and TLS, refer to the Exim documentation: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
Currently, I don't have enough time to conduct tests on this, but it will undeniably constitute a significant enhancement to the container to explicitly prohibit the use of TLSv1.0 and TLSv1.1 within the configuration.
I hope this provides sufficient guidance to address the issue. I look forward to your solution to implement it in the container image. 😉
Hey @Angatar, thanks for the in-depth response! I really appreciated your insight into this :)
Following your advice, I was able to create the following file (which I've now added via a bind-mount for it to persist between container rebuilds):
root@mailman:/etc/exim4/conf.d/main# cat 00_minimum_tls
tls_require_ciphers = NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
It'd be great to have this included by default (given that both TLS 1.0 and 1.1 are both insecure)!