Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher lis…

Top Page
This message is part of the following thread:
M-+\the complete thread tree sorted by date
M\MMPhil Pennock at <-
MMKonstantin Boyandin at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
On 28/03/18 10:43, Mark Elkins via Exim-users wrote:
> I've no idea if its possible to allow weaker encryption for
> opportunistic connections
> but enforce stronger encryption types on DANE compliant connections?

tls_required_ciphers on the smtp transport is expanded;
do a dnsdb lookup (or series) probing for the existence
of TLSA records, and tune the ciphers depending on that.

How complicated you want to make it depends on how
closely you want to emulate the actual DANE lookup sequence.
I'd not suggest worrying about the content of the
TLSA records, for example.

You'll be doubling the traffic to the resolver, if that's
a factor. I strongly suggest you should be running
a caching resolver locally, but YMMV.
--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] How to rewrite From: header of offsite forwards only to prevent Amazon SES 554 error[exim] acl_check_data discard, deny condition not working->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)