Re: [exim-dev] [Bug 1535] Option for SSL/TLS Protocol config…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni
Dátum:  
Címzett: exim-dev
Tárgy: Re: [exim-dev] [Bug 1535] Option for SSL/TLS Protocol configuration missing/required
On Thu, Oct 16, 2014 at 12:44:01AM +0100, Phil Pennock wrote:

> http://bugs.exim.org/show_bug.cgi?id=1535
>
>     openssl_options = +no_sslv2 +no_sslv3


Don't know if any of you folks are lurkers on postfix-users,
so to repeat here:

POODLE is NOT an SMTP attack. In any case SMTP is opportunistic,
and turning off weaker crypto just causes (a few) more peers
to send in the clear.

Don't disable SSLv3 for SMTP as a knee-jerk reaction. There is no
need to do so. The net effect of doing so is slightly negative.
"Slightly" because so few SMTP connections employ SSLv3 in the
first place. However, a few sites have been observed recently to
have older SMTP security appliances that are SSLv3-only, and some
of these are banks.

You can if you wish disable SSLv3, but do it after examining your
own logs to determine whether any peers you care about are going
to be impacted. Understand that doing so is mosly because you're
trying to make a statement, rather than improve security (again
the net effect is slightly more traffic in the clear).

[ Making a statement is fine, we do want the world to move on,
just don't do yourself more harm than good. ]

-- 
    Viktor.