Author: Phil Pennock Date: To: mje CC: exim-users Subject: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
On 2018-03-28 at 11:43 +0200, Mark Elkins via Exim-users wrote: > Begs the question, do DANE enabled machine therefore perhaps require a
> stronger encryption - as their owners should know what they are doing?
>
> I've no idea if its possible to allow weaker encryption for
> opportunistic connections
> but enforce stronger encryption types on DANE compliant connections?
At present, it would require a bit of fiddling and logs-processing.
We have `$tls_out_dane` but the value is determined far too late to be
usable for setting `tls_require_ciphers` on the Transport.
We'd probably want some other variable, set as soon as we have DNS
signalling that DANE should be used, which can be referenced.
$smtp_found_dane or something? Note that DANE support is Experimental
and feedback and requests are a good thing (patches even better!).
If not willing to edit Exim's source, then at present I'd just make sure
that `log_selector` includes `+tls_certificate_verified` and look for
`CV=dane` in the logs. A logs processor could identify all domains
where that's seen, and things verified, and then update a DB of "domains
we should use better crypto for". It's hacky, but then it would be the
beginning of a lightweight reputation tracking system for outbound
connections.