i.e. PLAIN or LOGIN. The &%server_advertise_condition%& setting controls
when Exim offers authentication to clients; in the examples, this is only
when TLS or SSL has been started, so to enable the authenticators you also
-need to add support for TLS as described in &<<SECTdefconfmain>>&.
+need to add support for TLS as described in section &<<SECTdefconfmain>>&.
The &%server_condition%& setting defines how to verify that the username and
password are correct. In the examples it just produces an error message.
To make the authenticators work, you can use a string expansion
-expression like one of the examples in &<<CHAPplaintext>>&.
+expression like one of the examples in chapter &<<CHAPplaintext>>&.
Beware that the sequence of the parameters to PLAIN and LOGIN differ; the
-usercode and password are in different positions. &<<CHAPplaintext>>&
-covers both.
+usercode and password are in different positions.
+Chapter &<<CHAPplaintext>>& covers both.
.ecindex IIDconfiwal
If you prefer more security and are willing to break some clients, raise this
number.
+
+Note that the value passed to GnuTLS for *generating* a new prime may be a
+little less than this figure, because GnuTLS is inexact and may produce a
+larger prime than requested.
.wen
ignored. See section &<<SECTopenvsgnu>>& for further details.
.new
-If the DH bit-count from loading the file is greater than tls_dh_max_bits then
-it will be ignored.
+If the DH bit-count from loading the file is greater than &%tls_dh_max_bits$&
+then it will be ignored.
.wen
# chown exim:exim new-params
# chmod 0600 new-params
# certtool --generate-dh-params --bits 2236 >>new-params
+# openssl dhparam -noout -text -in new-params | head
+[ check the first line, make sure it's not more than 2236;
+ if it is, then go back to the start ("rm") and repeat
+ until the size generated is at most the size requested ]
# chmod 0400 new-params
# mv new-params gnutls-params-2236
.endd
value for their parameter &`GNUTLS_SEC_PARAM_NORMAL`&, as clamped by
&%tls_dh_max_bits%&. At the time of writing (mid 2012), GnuTLS 2.12 recommends
2432 bits, while NSS is limited to 2236 bits.
+
+In fact, the requested value will be *lower* than &%tls_dh_max_bits%&, to
+increase the chance of the generated prime actually being within acceptable
+bounds, as GnuTLS has been observed to overshoot. Note the check step in the
+procedure above. There is no sane procedure available to Exim to double-check
+the size of the generated prime, so it might still be too large.
.wen