Re: [exim] SSL forcing

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Cyborg
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] SSL forcing
Am 19.05.19 um 19:24 schrieb Jeremy Harris via Exim-users:
> On 19/05/2019 18:00, Cyborg via Exim-users wrote:
>> Problem is, that even if tls_1.2 is out since 2008, a communication
>> partner may use SSLv3 or TLS 1.0/1.1 and  using just "encrypted = *" ,
>> you will accept i
>>
>> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
>> and reject anything not 1.2 or 1.3.
> If you are concerned about TLS versions, the easiest configuration
> is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
> string) or openssl_options (for OpenSSL).
>

... and here reality kicks in :D  Let me explain ...

If you disable TLS < 1.2 for any tls host you get in contact with,
you may end with some important, but unfortunately created by
dump&dumper Corp (i.e. citrix),
and therefor without a working tls 1.2 or better mta equipped server,
which does not
transport personal, but vital system data.

Which sums up @ : we wanne check tls 1.2+ for "normal" connections, but
may need to receive tls < 1.2
for some special servers, but don't wanne make special cases in the
config file. We i.e. have the switches in
a db on a per case schema.

Am 19.05.19 um 19:13 schrieb Andrew C Aitchison via Exim-users:


    /TLS v1.0 and v1.1 are on the way out for https*; //
    //how did you decide which versions to allow for mail ? /


deny condition = ${if eq{${substr_0_7:$tls_cipher}}{TLSv1.2} {0}{1}}

ofcourse you need one for 1.3 too .


    /If you use the same certificate for smtp and pop, imap and/or https
    webmail //
    //then using an old protocol leaves you open to cross-protocol
    downgrade attacks (like DROWN but tls instead of ssl). //


    /


Certs are not bound to protocols.

    ///
    //On the other hand, I see more effort put into updating encryption
    for web than for mail. //
    /


Not really, it's basically the same.


best regards,
Marius