[exim] for europeans only: EU GDPR and mitigation of CVE-201…

Top Page

Reply to this message
Author: Cyborg
Date:  
To: Exim Users
Subject: [exim] for europeans only: EU GDPR and mitigation of CVE-2019-15846
Hi,

this post is only relevant for European Corps or Organisations WITH
mailerservers
in or outside of the EU.  if you are not based in the EU, you can skip this.

As a possible Mitigation for  CVE-2019-15846 stopping to use TLS in form of

tls_advertise_hosts =

in your config, is a bigger deal, as you may think.

Article 32 p 1 EU GDPR states, that the transport of personal data has
to be protected, if it's easily possible, which it is, regarding TLS in
mailservers. Here it's trivial, by just activation of it, in the
exim.config, as it's trivial today in webservers like apache with the
help of Lets Encrypt.

This issue is already know to the data protection agencies in the EU, as
they got explicitly informed about it in may 2018 by the EU technical
group that "invented" the EU GDPR (before it got rewriten by advocates)
. (How do i know? I initiated it ;) )

This means as a consequence, that if you disable TLS, it becomes a data
protection violation. of course, noone will sue you, as the protection
of your service comes first, but you have to inform your clients about
this incident and you have to make a note about it. You simple can't
keep it to yourself, if you are a company or organisation admin inside
the EU.

If you negate the attackvector without disabling TLS, all is fine for you.

best regards,
Marius

( JFYI, the hardcore consequence of Article 32 is, that you have to
reject clear smtp connections without TLS 1.2+ protection.  Thats
because you don't know what clients may send via the unproctected
connection, before they have send it. means, you have to protect the
client from it, before it happens. Thats also the reason, why you have
to use https with contact forms in websites since 2016 )