Re: [exim] SSL forcing

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Richard Jones
Date:  
À: exim-users
Sujet: Re: [exim] SSL forcing
On May 19, Jeremy Harris via Exim-users wrote
> On 19/05/2019 18:00, Cyborg via Exim-users wrote:
> > Problem is, that even if tls_1.2 is out since 2008, a communication
> > partner may use SSLv3 or TLS 1.0/1.1 and  using just "encrypted = *" ,
> > you will accept i
> >
> > It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
> > and reject anything not 1.2 or 1.3.
>
> If you are concerned about TLS versions, the easiest configuration
> is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
> string) or openssl_options (for OpenSSL).


I added +tls_cipher to log_selector which adds an X= entry to the log
file entries for inbound TLS connections. In my case (for a low volume
personal mailserver which I enjoy spending *far* too much time
maintaining) I get this:

# egrep -o 'X=TLS[^ ]+' /var/log/exim4/mainlog  | sort | uniq -c | sort -n | tail
     82 X=TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128
    167 X=TLS1.2:DHE_RSA_AES_256_GCM_SHA384:256
    272 X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
    289 X=TLS1.2:ECDHE_ECDSA_AES_128_CBC_SHA256:128
    296 X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256
    466 X=TLS1.2:ECDHE_ECDSA_CHACHA20_POLY1305:256
    691 X=TLS1.2:ECDHE_ECDSA_AES_256_GCM_SHA384:256
    727 X=TLS1.2:ECDHE_ECDSA_AES_128_GCM_SHA256:128
   1053 X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128
  15878 X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256


Sadly I want to continue to receive some of those TLS1.0 inbound
connections. One of them is from the OWASP CRS mailing list. Of all
people!

HTH

Richard

--
junix.systems/privacy