Autor: Jeremy Harris Datum: To: exim-users Betreff: Re: [exim] Exim TLS security, DH and standard parameters
On 09/10/16 11:14, Lena@??? wrote: > Am I understanding you correctly? That you recommend every
> Exim admin using OpenSSL to specify in the beginning of Exim config
>
> tls_dhparam = /path/dhparam.pem
>
> where the file should be generated once with commands
>
> openssl dhparam -out /path/dhparam.pem 2236
> chown root:mail /path/dhparam.pem
> chmod 640 /path/dhparam.pem
>
> For FreeBSD the /path/ can be /usr/local/etc/exim/
Adjusting as needed for commands and paths on your system, yes.
But the threat being defended against is not the simplest one
around; more obvious ones include
- targets not supporting TLS at all
- MITM intercepting STARTTLS, forcing downgrade to cleartext
- MITM terminating TLS and retransmitting to target
- MITM intercepting DNS, forcing diversion to a different MTA