Re: [exim] SSL forcing

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Andrew C Aitchison
Date:  
À: The Doctor
CC: exim-users
Sujet: Re: [exim] SSL forcing
On Sun, 19 May 2019, The Doctor via Exim-users wrote:

> How can I force e-mail from the Internet At large to be only accepted
> if and only if done by SSL/TLS methods?


Jeremy suggested
     ACL condition "encrypted"


Can I ask a supplementary question ?

TLS v1.0 and v1.1 are on the way out for https*;
how did you decide which versions to allow for mail ?

If you use the same certificate for smtp and pop, imap and/or https webmail
then using an old protocol leaves you open to cross-protocol downgrade
attacks (like DROWN but tls instead of ssl).

On the other hand, I see more effort put into updating encryption for web
than for mail.

* eg https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

Thanks,