Why not just disable the impacted ciphers?
This seems reasonable to me:
tls_require_ciphers =
-ALL:+HIGH:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-MD5:AES256-SHA:AES128-SHA
On Fri, Oct 17, 2014 at 6:44 AM, Viktor Dukhovni <exim-users@???>
wrote:
> On Fri, Oct 17, 2014 at 02:44:16AM -0400, Chris Siebenmann wrote:
>
> > (This is not to say that you should leave SSLv3 on. I'd turn it off
> > for various reasons, including that it's ancient.)
>
> My advice is to leave it on. I understand that turning it off
> feels good, and may even appease some auditors, but the net effect
> of turning it off for SMTP is very slightly negative. A tiny, but
> perhaps sensitive, fraction of systems (some older anti-spam/anti-virus
> appliances) will now only be able to send you email in the clear.
>
> If you want to gain some security, consider disabling RC4 on port
> 587, where TLS should be mandatory, and if any of the submission
> clients are "bots" or other MTAs that use PLAIN auth, RC4 might
> leak their credentials after some millions of messages.
>
> All this said, most sites that choose to disable SSLv3, will likely
> not notice any difference either way. The fraction of SMTP traffic
> that is SSLv3 is tiny for most domains.
>
> --
> Viktor.
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
Brent Jones
brent@???
