Could I ask a possibly radical question of the list? Firstly, I fully appreciate that a number of older encryption protocols and ciphers are very weak. So *preferring* stronger ones over the weaker ones has a clear benefit.
But given that most MTA to MTA traffic uses *opportunistic* encryption, falling back to cleartext transfers if no encryption can be agreed between the servers, isn't it better to continue to offer and use in such situations a weak cipher than none at all? That is, weak encryption of a message is better than none at all? The exceptions being, of course, scenarios like: - you require your incoming MTA to MTA traffic to arrive over an encrypted connection and reject messages arriving in cleartext, or - for MUA to MSA submissions as authentication credentials are usually involved. Cheers, Mike B-) On 28 March 2018 at 08:10, Konstantin Boyandin via Exim-users < exim-users@exim.org> wrote: > Hello, > > After having scanned 4.90.1 installation with OpenVAS, the below was > reported: > > 'Weak' cipher suites accepted by this service via the > TLSv1.0/TLSv1.1/TLSv1.2 protocols: TLS_RSA_WITH_SEED_CBC_SHA > > Default settings (no explicit "tls_require_ciphers", "openssl_options") > are in use. > > Can someone recommend simplest ciphers selection for Exim, to exclude the > mentioned cipher? The settings present on cipherli.st: > > tls_require_ciphers = AES128+EECDH:AES128+EDH > openssl_options = +no_sslv2 +no_sslv3 > > seem kind of too strict, there were reported problems receiving email > after the above were put in effect. > > Sincerely, > Konstantin > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- Systems Administrator & Change Manager IT Services, University of York, Heslington, York YO10 5DD, UK Tel: +44-(0)1904-323811 Web: www.york.ac.uk/it-services Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/