; See 'haraka -h tls'

key=/secure/privkey.pem
cert=/secure/fullchain.pem
; dhparam=dhparams.pem

; ciphers: a list of permitted ciphers
; The default cipher list is provided by node.js and is considered secure at
; the time of that versions release. If you have problems with the default cipher
; list, try enabling this "kinda high but more compatible" setting.
ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

; honorCipherOrder=false
; rejectUnauthorized=false
; requestCert=true
; requestOCSP=false


[redis]
; options in this block require redis to be enabled in config/plugins.

; remember when a remote fails STARTTLS. The next time they connect,
;     don't offer STARTTLS option (so message gets delivered).
;     pro: increases mail reliability
;     con: reduces security
; default: false
; disable_for_failed_hosts=true


; no_tls_hosts - disable TLS for servers with broken TLS.
[no_tls_hosts]
127.0.0.1
; 192.168.1.1
; 172.16.0.0/16