Hi Victor,
on 20.09.21 17:43, Viktor Dukhovni via Exim-users wrote:
>> Anyway: My main goal is to protect credentials of my users, if I would
>> enable TLS1.1 and lower, I would risk that this communication is not
>> secured adequately.
>
> Indeed, that's why I would recommend a floor of TLS 1.2 for portss 587
> and 465, but not necessarily port 25.
That is reasonable, now I need to see how to configure that in exim.
>> Additionally, I enforce encryption (TLS1.2+) on outgoing connections
>> (only very few sites do not support that, I maintain a list of
>> exceptions, when I see mails lingering in the queue).
>
> This is where our priorities differ. Barring a practical downgrade
> attack on SMTP STARTTLS made possible by keeping TLS 1.0 enabled, I
> see little reason yet to force the remaining TLS 1.0 to use cleartext.
> (Yes I'm aware of past cross-protocol attacks, see the author list of
> DROWN: <https://drownattack.com/drown-attack-paper.pdf>)
Kudos, real nice paper. I definitely got your point. Just for information:
All hosts on my exception list do not support encryption at all (the
list is so short, that I can test the hosts before adding them).
Anyway, as you wrote in another mail, main attack would be stripping STARTTLS
before the connection is encrypted. I currently see no real widely used extension
to address that. TLSA records and DANE are not implemented widely, MTA-STS
probably even less wide.
Nonetheless, interesting thread with a lot points to rething and improve, thanks Victor.
Regards,
Thomas