Bug#515999: Workaround for outlook error 0x800CCC1A

[Sam Morris]

> For maximum interoperability a safer default should be chosen, such as
> not using any certificates or using a separate store in /etc/exim (like
> the default certificate files).

For those who, after upgrading to lenny, are receiving the following
error with Outlook:

        Task '[account] - Sending' reported error (0x800CCC1A): 'Your
        server does not support the connection encryption type you have
        specified. Try changing the encryption method. Contact your mail
        server administrator or Internet service provider (ISP) for
        additional assistance'.

Accompanied by the following Exim log messages:

        TLS error on connection from [host] (gnutls_handshake): A record
        packet with illegal version was received.

Don't worry, the error message is totally wrong in every way. You don't
need to screw around with your account settings. You do, however, need
to disable the verification of client certificates.

To do this, place the following in /etc/exim4/conf.d/00_localmacros and
reload exim:

        MAIN_TLS_TRY_VERIFY_HOSTS = 

That is, set the macro to the empty string.	

Perhaps tls_try_verify_hosts should not be set to '*' by default, given
that:

     1. It does not increase security
     2. It results in about 35 KiB of overhead for each TLS-using
        connection
     3. It causes one of the most popular mail clients to barf

-- 
Sam Morris <sam at robots.org.uk>