Re: [exim] Exim TLS security, DH and standard parameters

Góra strony
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
Dla: exim-users
Temat: Re: [exim] Exim TLS security, DH and standard parameters
On 09/10/16 11:14, Lena@??? wrote:
> Am I understanding you correctly? That you recommend every
> Exim admin using OpenSSL to specify in the beginning of Exim config
>
> tls_dhparam = /path/dhparam.pem
>
> where the file should be generated once with commands
>
> openssl dhparam -out /path/dhparam.pem 2236
> chown root:mail /path/dhparam.pem
> chmod 640 /path/dhparam.pem
>
> For FreeBSD the /path/ can be /usr/local/etc/exim/


Adjusting as needed for commands and paths on your system, yes.
But the threat being defended against is not the simplest one
around; more obvious ones include

- targets not supporting TLS at all
- MITM intercepting STARTTLS, forcing downgrade to cleartext
- MITM terminating TLS and retransmitting to target
- MITM intercepting DNS, forcing diversion to a different MTA

--
Cheers,
Jeremy