Hi,
Bjoern Jacke <bjacke@???> (Do 06 Aug 2015 15:12:50 CEST):
> +Plain SSL for SMTP was officially deprecated in favor of the STARTTLS approach.
> +You should consider though, that clients often use opportunistic STARTTLS and do
> +not enforce TLS unconditionally. This makes the communication between those
> +clients and server easily vulnerable to MITM attacks, which can suppress
> +encyrption completely. For that reason some people still prefer SSMTP and do
> +not enable SMTP via port 587 to mitigate the possibility of such MITM attacks.
> +Exim supports smtps for clients by means of the &%tls_on_connect_ports%& global
> +option. Its value must be a list of port numbers; the most common use is
> +expected to be:
As far as I know port 465 and plain SSL are still deprecated. It's easy
to force TLS (via STARTTLS) as a precondition to client authentication.
begin authenticators
…
server_advertise_condition = ${if def:tls_cipher}
But as long as clients do not insist on TLS/SSL and do not verify the
servers certificate, a MITM can do anything.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
