# tls_privatekey = /etc/ssl/exim.pem
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
-# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endif
+
+# Don't offer resumption to (most) MUAs, who we don't want to reuse
+# tickets. Once the TLS extension for vended ticket numbers comes
+# though, re-examine since resumption on a single-use ticket is still a benefit.
+.ifdef _HAVE_TLS_RESUME
+tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
+.endif
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# to the first recipient must be deferred unless the sender talks PRDR.
#
# defer !condition = $prdr_requested
- # condition = ${if > {0}{$receipients_count}}
+ # condition = ${if > {0}{$recipients_count}}
# condition = ${if !eq {$acl_m_content_filter} \
# {${lookup PER_RCPT_CONTENT_FILTER}}}
# warn !condition = $prdr_requested
- # condition = ${if > {0}{$receipients_count}}
+ # condition = ${if > {0}{$recipients_count}}
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
#############################################################################
# This transport is used for delivering messages over SMTP connections.
-# Refuse to send any message with over-long lines, which could have
-# been received other than via SMTP. The use of message_size_limit to
-# enforce this is a red herring.
remote_smtp:
driver = smtp
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.ifdef _HAVE_PRDR
- hosts_try_prdr = *
+.ifdef _HAVE_TLS_RESUME
+ tls_resumption_hosts = *
.endif
smarthost_smtp:
driver = smtp
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
multi_domain
#
.ifdef _HAVE_TLS
# request with your smarthost provider to get things fixed:
hosts_require_tls = *
tls_verify_hosts = *
- # As long as tls_verify_hosts is enabled, this won't matter, but if you
- # have to comment it out then this will at least log whether you succeed
- # or not:
+ # As long as tls_verify_hosts is enabled, this this will have no effect,
+ # but if you have to comment it out then this will at least log whether
+ # you succeed or not:
tls_try_verify_hosts = *
#
# The SNI name should match the name which we'll expect to verify;
.ifdef _HAVE_GNUTLS
tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
.endif
+.ifdef _HAVE_TLS_RESUME
+ tls_resumption_hosts = *
.endif
-.ifdef _HAVE_PRDR
- hosts_try_prdr = *
.endif