Re: [exim] Exim TLS security, DH and standard parameters

Page principale
Ce message fait partie du fil suivant :
MArborescence complète du fil triée par date
M\Lena à <-
MMPhil Pennock à ->
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] Exim TLS security, DH and standard parameters
On 09/10/16 11:14, Lena@??? wrote:
> Am I understanding you correctly? That you recommend every
> Exim admin using OpenSSL to specify in the beginning of Exim config
>
> tls_dhparam = /path/dhparam.pem
>
> where the file should be generated once with commands
>
> openssl dhparam -out /path/dhparam.pem 2236
> chown root:mail /path/dhparam.pem
> chmod 640 /path/dhparam.pem
>
> For FreeBSD the /path/ can be /usr/local/etc/exim/

Adjusting as needed for commands and paths on your system, yes.
But the threat being defended against is not the simplest one
around; more obvious ones include

- targets not supporting TLS at all
- MITM intercepting STARTTLS, forcing downgrade to cleartext
- MITM terminating TLS and retransmitting to target
- MITM intercepting DNS, forcing diversion to a different MTA

--
Cheers,
Jeremy

Ce message a été envoyé sur les listes de diffusion suivantes :
Exim-users
Informations sur la liste de diffusion | Messages voisins		<-Re: [exim] Exim TLS security, DH and standard parameters[exim] Exim 4.88 RC2 uploaded->
Tahini and Hummus and Cumin Development Archives administré par cumin AdminsLurker (version 2.3)