Re: [exim] [PATCH 2/2] Docs: state out why ssmpt is not obso…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Betreff: Re: [exim] [PATCH 2/2] Docs: state out why ssmpt is not obsolete
Hi,

Bjoern Jacke <bjacke@???> (Do 06 Aug 2015 15:12:50 CEST):
> +Plain SSL for SMTP was officially deprecated in favor of the STARTTLS approach.
> +You should consider though, that clients often use opportunistic STARTTLS and do
> +not enforce TLS unconditionally. This makes the communication between those
> +clients and server easily vulnerable to MITM attacks, which can suppress
> +encyrption completely. For that reason some people still prefer SSMTP and do
> +not enable SMTP via port 587 to mitigate the possibility of such MITM attacks.
> +Exim supports smtps for clients by means of the &%tls_on_connect_ports%& global
> +option. Its value must be a list of port numbers; the most common use is
> +expected to be:


As far as I know port 465 and plain SSL are still deprecated. It's easy
to force TLS (via STARTTLS) as a precondition to client authentication.

    begin authenticators


        …
        server_advertise_condition = ${if def:tls_cipher}


But as long as clients do not insist on TLS/SSL and do not verify the
servers certificate, a MITM can do anything.


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -