Re: [exim] SSL forcing

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] SSL forcing
> On May 19, 2019, at 1:00 PM, Cyborg via Exim-users <exim-users@???> wrote:
>
> Problem is, that even if tls_1.2 is out since 2008, a communication
> partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" ,
> you will accept it.


My advice is to avoid knee-jerk reactions to mostly HTTP-related
risks in SSL/TLS and adopt a crypto-maximalist posture with SMTP.

Unlike interactive web browsing, MTA-to-MTA SMTP has no user to
"click OK" when an unimportant site they're visiting (today's
weather, not their bank) has no SSL, an expired certificate, ...

Since LOGJAM and DROWN, the SMTP MTA "ecosystem" has moved on
from "export" ciphers and SSL2/SSL3. You can now without loss
of interoperability expect at least 128-bit ciphers and TLS 1.0.
Which are adequate for SMTP, and better than cleartext. I am
not aware of any cross-protocol attacks against TLS 1.2 via
servers that use the same certificate with TLS 1.0/1.1. And
you really don't have to and shouldn't use the same certificate
across multiple unrelated services.

> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
> and reject anything not 1.2 or 1.3.
>
> If your in the EU, you need to consider this, as §32 EU GDPR states
> "the used technique(Encryption) to proctect the transport of personal
> data has to be state of the art" aka TLS 1.2 or 1.3 .


From the Gmail transparency report:

https://transparencyreport.google.com/safer-email/overview

we that some ~10% of email traffic is presently cleartext (not
even TLS 1.0). Some major sources and destinations that never
or only sometimes use TLS are:

Top domains (World): Inbound

Domain    %
From: adobe.com via adobesystems.com    87%
From: aliexpress.com via alibaba.com    0%
From: cmail19.com via createsend.com    92%
From: cmail20.com via createsend.com    91%
From: costco.com    0%
From: cuenote.jp    90%
From: emergencyemail.org    0%
From: infusionmail.com    95%
From: secureserver.net    59%
From: timesjobs.com via tbsl.in    0%


Top domains (World): Outbound

Domain    %
To: alice.it via aliceposta.it    0%
To: amazon.{...}    60%
To: bigpond.com    0%
To: btinternet.com via cpcloud.co.uk    0%
To: docomo.ne.jp    0%
To: ezweb.ne.jp    0%
To: nauta.cu via etecsa.net    0%
To: softbank.jp    0%
To: uol.com.br    0%
To: yahoo.co.jp    0%



For Europe the top non-TLS peers are:

Top domains (Europe): Inbound

Domain    %
From: adidas.com via neolane.net    92%
From: bebee.com    0%
From: bloglovin.com    0%
From: gog.com    27%
From: kuponya.net    0%
From: mail-cdiscount.com    0%
From: meetic.com    87%
From: radar-de-novidades.com    0%
From: seniorplanet.fr    0%
From: useinsider.com    44%


Top domains (Europe): Outbound

Domain    %
To: alice.it via aliceposta.it    0%
To: amazon.{...}    0%
To: btinternet.com via cpcloud.co.uk    0%
To: istruzione.it    0%
To: leboncoin.fr    0%
To: pole-emploi.net via prosodie.com    0%
To: sch.gr    0%
To: t-online.hu    0%
To: tin.it    0%
To: tiscali.it    0%


-- 
    Viktor.