On 2019-09-07 at 08:23 +0200, Heiko Schlittermann wrote:
> Phil Pennock (Sa 07 Sep 2019 02:52:56 CEST):
> > The connect ACL won't protect you against STARTTLS usage, which is far
> > more common for email than TLS-on-connect.
> >
> > I myself use the HELO ACL.
>
> This doesn't seem to be
Phil Pennock (Sa 07 Sep 2019 02:52:56 CEST):
> The connect ACL won't protect you against STARTTLS usage, which is far
> more common for email than TLS-on-connect.
>
> I myself use the HELO ACL.
This doesn't seem to be sufficient, you can start "submitting" a message to
a remote Exim with the
On 2019-09-06 at 20:50 +0200, Sebastian Nielsen wrote:
> Shouldn't this be in connect ACL?
> How would the deny in MAIL FROM prevent the exploit? What I have understand
> is that there is exploit in the SNI of the TLS negotiation, thus the whole
> connect attempt must be rejected right?
The