On 19/05/2019 19:12, Cyborg via Exim-users wrote: > Am 19.05.19 um 19:24 schrieb Jeremy Harris via Exim-users:
>> On 19/05/2019 18:00, Cyborg via Exim-users wrote:
>>> Problem is, that even if tls_1.2 is out since 2008, a communication
>>> partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" ,
>>> you will accept i
>>>
>>> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 ,
>>> and reject anything not 1.2 or 1.3.
>> If you are concerned about TLS versions, the easiest configuration
>> is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority
>> string) or openssl_options (for OpenSSL).
>>
> ... and here reality kicks in :D Let me explain ...
>
> If you disable TLS < 1.2 for any tls host you get in contact with,
> you may end with some important, but unfortunately created by
> dump&dumper Corp (i.e. citrix),
> and therefor without a working tls 1.2 or better mta equipped server,
> which does not
> transport personal, but vital system data.
>
> Which sums up @ : we wanne check tls 1.2+ for "normal" connections, but
> may need to receive tls < 1.2
> for some special servers, but don't wanne make special cases in the
> config file. We i.e. have the switches in
> a db on a per case schema.
tls_require_ciphers is expanded, both main and transport versions.
openssl_options is not; anybody interested could raise an RFE.