Could I ask a possibly radical question of the list?
Firstly, I fully appreciate that a number of older encryption protocols and
ciphers are very weak. So *preferring* stronger ones over the weaker ones
has a clear benefit.
But given that most MTA to MTA traffic uses *opportunistic* encryption,
falling back to cleartext transfers if no encryption can be agreed between
the servers, isn't it better to continue to offer and use in such
situations a weak cipher than none at all? That is, weak encryption of a
message is better than none at all?
The exceptions being, of course, scenarios like:
- you require your incoming MTA to MTA traffic to arrive over an
encrypted connection and reject messages arriving in cleartext, or
- for MUA to MSA submissions as authentication credentials are usually
involved.
Cheers,
Mike B-)
On 28 March 2018 at 08:10, Konstantin Boyandin via Exim-users <
exim-users@???> wrote:
> Hello,
>
> After having scanned 4.90.1 installation with OpenVAS, the below was
> reported:
>
> 'Weak' cipher suites accepted by this service via the
> TLSv1.0/TLSv1.1/TLSv1.2 protocols: TLS_RSA_WITH_SEED_CBC_SHA
>
> Default settings (no explicit "tls_require_ciphers", "openssl_options")
> are in use.
>
> Can someone recommend simplest ciphers selection for Exim, to exclude the
> mentioned cipher? The settings present on cipherli.st:
>
> tls_require_ciphers = AES128+EECDH:AES128+EDH
> openssl_options = +no_sslv2 +no_sslv3
>
> seem kind of too strict, there were reported problems receiving email
> after the above were put in effect.
>
> Sincerely,
> Konstantin
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:
www.york.ac.uk/it-services
Disclaimer:
www.york.ac.uk/docs/disclaimer/email.htm
