Upgraded and now exim problems

1] upgraded from debian 9 and myvesta to debian 12 and hestiacp (complete wipe with minimal debian). Most everything works fine, but now can’t use plain auth on 587. A program we use in public safety, which they always suck, uses no-SSL/TLS on 587.

daemon_smtp_ports = 25 : 465 : 587 : 2525 : 81
tls_on_connect_ports = 465 : 81

2] Another problem is a program that uses TLS 1.0. I’m not sure what to add to this line to allow TLS 1 and TLS 1.1.

tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}

I see /etc/exim4/conf.d/main/03_exim4-config_tlsoptions , but I cannot find the proper information to put in there.

3] Rejected because 173.216.x.x is in a black list at zen.spamhaus.org
I do not have spamassasin turned on??

I have edited /etc/exim4/white-blocks.conf , but again, no information on if you use : ; , for the file.

/etc/exim4/white-blocks.conf
x.x.0.0/14
x.x.192.0/19
x.x.219.249/32
x.x.0.0/12
x.x.0.0/11

Hello @arktex54,

Take a look to this post:

Try this:

tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE

But maybe it won’t work because of the openssl version installed in Debian 12.

zen.spamhaus.org is not related to spamassassin, it is a DBL (Domain BlackList) and it is used by exim to stop spammers, etc.

If you can’t receive any mails because all ips are being rejected and you are using public dns resolvers like 1.1.1.1, 8.8.8.8, etc. you have 3 options:

1.- Install and use your own dns resolver (like Unbound or PowerDNS).
2.- Remove zen.spamhaus.org from /etc/exim4/dnsbl.conf and restart exim (I don’t recommend it)
3.- Create a free query key from spamhaus and use it in exim. To do so, check this link

Cheers,
sahsanu

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.