Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher lis…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Mark Elkins
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
Begs the question, do DANE enabled machine therefore perhaps require a
stronger encryption - as their owners should know what they are doing?

I've no idea if its possible to allow weaker encryption for
opportunistic connections
but enforce stronger encryption types on DANE compliant connections?


On 28/03/2018 11:21, Mike Brudenell via Exim-users wrote:
> Could I ask a possibly radical question of the list?
>
> Firstly, I fully appreciate that a number of older encryption protocols and
> ciphers are very weak. So *preferring* stronger ones over the weaker ones
> has a clear benefit.
>
> But given that most MTA to MTA traffic uses *opportunistic* encryption,
> falling back to cleartext transfers if no encryption can be agreed between
> the servers, isn't it better to continue to offer and use in such
> situations a weak cipher than none at all? That is, weak encryption of a
> message is better than none at all?
>
> The exceptions being, of course, scenarios like:
>
>    - you require your incoming MTA to MTA traffic to arrive over an
>    encrypted connection and reject messages arriving in cleartext, or
>    - for MUA to MSA submissions as authentication credentials are usually
>    involved.

>
> Cheers,
> Mike B-)
>
> On 28 March 2018 at 08:10, Konstantin Boyandin via Exim-users <
> exim-users@???> wrote:
>
>> Hello,
>>
>> After having scanned 4.90.1 installation with OpenVAS, the below was
>> reported:
>>
>> 'Weak' cipher suites accepted by this service via the
>> TLSv1.0/TLSv1.1/TLSv1.2 protocols: TLS_RSA_WITH_SEED_CBC_SHA
>>
>> Default settings (no explicit "tls_require_ciphers", "openssl_options")
>> are in use.
>>
>> Can someone recommend simplest ciphers selection for Exim, to exclude the
>> mentioned cipher? The settings present on cipherli.st:
>>
>> tls_require_ciphers = AES128+EECDH:AES128+EDH
>> openssl_options = +no_sslv2 +no_sslv3
>>
>> seem kind of too strict, there were reported problems receiving email
>> after the above were put in effect.
>>
>> Sincerely,
>> Konstantin
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>
>


-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za