Re: [exim] Exim TLS security, DH and standard parameters

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Lena at <-
MMPhil Pennock at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Exim TLS security, DH and standard parameters
On 09/10/16 11:14, Lena@??? wrote:
> Am I understanding you correctly? That you recommend every
> Exim admin using OpenSSL to specify in the beginning of Exim config
>
> tls_dhparam = /path/dhparam.pem
>
> where the file should be generated once with commands
>
> openssl dhparam -out /path/dhparam.pem 2236
> chown root:mail /path/dhparam.pem
> chmod 640 /path/dhparam.pem
>
> For FreeBSD the /path/ can be /usr/local/etc/exim/

Adjusting as needed for commands and paths on your system, yes.
But the threat being defended against is not the simplest one
around; more obvious ones include

- targets not supporting TLS at all
- MITM intercepting STARTTLS, forcing downgrade to cleartext
- MITM terminating TLS and retransmitting to target
- MITM intercepting DNS, forcing diversion to a different MTA

--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim TLS security, DH and standard parameters[exim] Exim 4.88 RC2 uploaded->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)