Re: [exim] Exim (aoom) named in context of new TLS cross-pro…

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack
Am 10.06.21 um 11:18 schrieb Jeremy Harris via Exim-users:

> It's beyond most script-kiddies, at least.
>
> Email has no current standard for using ALPN; do we need one?
> That is suggested as mitigation for this attack.
> Exim does support SNI, which is also suggested (but only
> used if explicitly configured, at present, unless DANE).
>
> We might think about tightening up on the SNI defaults.
>
> I guess using DANE counts as another defense against this attack.


After reading the paper a bit closer, rejecting the entire connection
when a HTTP headerline is detected,
seems to be only valid option here, as long as ALPN isn't implemented
widely.

Heikos suggestion to set smtp_max_synprot_errors = 0 is the workaround
to go atm.

I suggest to change the default in the next exim release too.

Let's check if it's responable to change the default:

Next to noone is sending emails via manually entering text in telnet
connection.
Normal users will use clients, clientes know stmp protocol, so there
will be no harm in changing it.

Developers who need to test things, i.e. client devs or server admins,
will most likely use pre-typed scripts, because they usually need to
reexecute the tests over and over again. No harm here too.

I can't see one, that would be harmed by this change or did I overlook
something important?

@Heiko: always a pleasure, check the programm for next tuesday, you
might wanne join up.

best regards,
Marius