Am 14.05.25 um 09:59 schrieb Viktor Ustiuhov via Exim-users:
Reading a little more, I see that I should use: auth_advertise_hosts = ${if eq{$tls_cipher}{}{*}{*}}That doesn't make sense. Maybe you meantauth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
you are both wrong with this suggestion:If you just test IF a cipher is present, you can end up with allowing TLS1.0, depending on the security policy and ssl config in the system.
What you really wanne do is to test, that
a) it's filled at all
b) test for TLS 1.2 and 1.3
because everything else is broken & insecure.
with OPENSSL i.e. in acl_check_mail:
deny condition = ${if eq{${substr_0_6:$tls_cipher}}{TLS1.2} {0}{1}}
condition = ${if eq{${substr_0_6:$tls_cipher}}{TLS1.3} {0}{1}}
message = Sender did not use TLSv1.2+ secured connections.
of cause you can put this test in another form at another place, it's
just an example.
don't forget to add this on your transport too or you send out unencrypted mails and get sued for it.
best regards, Cyborg
OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
