Am 19.05.19 um 19:24 schrieb Jeremy Harris via Exim-users:
> On 19/05/2019 18:00, Cyborg via Exim-users wrote:
>> Problem is, that even if tls_1.2 is out since 2008, a communication
>> partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" ,
>> you will accept i
>>
>> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
>> and reject anything not 1.2 or 1.3.
> If you are concerned about TLS versions, the easiest configuration
> is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
> string) or openssl_options (for OpenSSL).
>
... and here reality kicks in :D Let me explain ...
If you disable TLS < 1.2 for any tls host you get in contact with,
you may end with some important, but unfortunately created by
dump&dumper Corp (i.e. citrix),
and therefor without a working tls 1.2 or better mta equipped server,
which does not
transport personal, but vital system data.
Which sums up @ : we wanne check tls 1.2+ for "normal" connections, but
may need to receive tls < 1.2
for some special servers, but don't wanne make special cases in the
config file. We i.e. have the switches in
a db on a per case schema.
Am 19.05.19 um 19:13 schrieb Andrew C Aitchison via Exim-users:
/TLS v1.0 and v1.1 are on the way out for https*; //
//how did you decide which versions to allow for mail ? /
deny condition = ${if eq{${substr_0_7:$tls_cipher}}{TLSv1.2} {0}{1}}
ofcourse you need one for 1.3 too .
/If you use the same certificate for smtp and pop, imap and/or https
webmail //
//then using an old protocol leaves you open to cross-protocol
downgrade attacks (like DROWN but tls instead of ssl). //
/
Certs are not bound to protocols.
///
//On the other hand, I see more effort put into updating encryption
for web than for mail. //
/
Not really, it's basically the same.
best regards,
Marius
