Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
On 28/03/18 10:43, Mark Elkins via Exim-users wrote: > I've no idea if its possible to allow weaker encryption for
> opportunistic connections
> but enforce stronger encryption types on DANE compliant connections?
tls_required_ciphers on the smtp transport is expanded;
do a dnsdb lookup (or series) probing for the existence
of TLSA records, and tune the ciphers depending on that.
How complicated you want to make it depends on how
closely you want to emulate the actual DANE lookup sequence.
I'd not suggest worrying about the content of the
TLSA records, for example.
You'll be doubling the traffic to the resolver, if that's
a factor. I strongly suggest you should be running
a caching resolver locally, but YMMV.
--
Cheers,
Jeremy