On Wed, Jun 28, 2017 at 9:27 PM, Phil Pennock <p...@exim.org> wrote: > There could stand to be some privacy implications discussion too -- > you're sending out, over the wire in unencrypted DNS packets, a > predictable derivation of the Reply-To: header received for every email > from a given domain. Using a cryptographic checksum protects against > casual snoopers knowing, but does not protect against those with a > dictionary of email addresses generating a reverse map and using that > for lookups, so undermines a chunk of the TLS-by-default work going on > by leaking metadata. Usual RBLs only leak that there was communication > from an IP, which a network traffic sniffer could see anyway.
Although SHA-1 is known to be weak, it's still a bit of work to brute force it for a busy mailserver, but for a server that only sees occasional traffic, there is legitimate concern. SHA-256 would be nice. Perhaps we (FSVO "we") should draft a proposal to the MSBL about using SHA-256 instead? -- Jan -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
