From: Tom Hughes <tom@compton.nu>
Date: Fri, 5 Oct 2018 14:22:24 +0000 (+0100)
Subject: Disable RC4, MD5 and SHA1 for SMTP encryption
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/524a7ce279b8975ebe0dfb61f8f9f637e5f04b0f

Disable RC4, MD5 and SHA1 for SMTP encryption
---

diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index caac72c52..0c99c2ce7 100644
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -148,7 +148,7 @@ tls_advertise_hosts = <; !127.0.0.1 ; !::1
 
 # Configured TLS cipher selection.
 
-tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0
+tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-ARCFOUR-128:-MD5:-SHA1:-VERS-SSL3.0
 
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
@@ -662,7 +662,7 @@ begin transports
 remote_smtp:
   driver = smtp
   multi_domain = false
-  tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0
+  tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-ARCFOUR-128:-MD5:-SHA1:-VERS-SSL3.0
 
 
 # This transport is used for handling pipe deliveries generated by alias or