The TLS config of our MXes is outdated by modern standards:
- Supports TLS 1.0
- Outdated ciphers
- No PFS
- No OCSP stapling
- (probably others)
We should address that ASAP, although it's probably better to wait for the upgrade to stretch (T175361) to complete first. For example, OCSP stapling was attempted and implemented before, but reverted with 90dbb023366cc761073f1b15edb37ccc33fd49f9 because of implementation bugs with jessie's exim version.
Note that exim4 uses GnuTLS, so both its cipher support and its configuration etc. is a bit different.