> On 30 Sep 2021, at 6:32 pm, Sabahattin Gucukoglu via Exim-users
> wrote:
>
> Courier Mail Server fetches MTA-STS policy documents. I’d consider this a
> good reason to do MTA-STS as well as DANE, even though I suspect the base of
> Courier users will be small. Interesting too is that Debian
Looks like I will be spending some more quality time with GnuTLS docs as I do
seem to have been giving it a hard time. Most interesting so far is the
discovery that the ciphersuite selection lets you specify not just the suites,
but also the negotiated protocol version. It’s not as convenient, b
Interesting discussion ... I am in a slightly different place on our
three public mail servers that handle circa 200,000 mails per day for
about 20-30 domains.
1. I use Devuan 3.1 (Beowulf) and compile Exim from source with OpenSSL
rather than GnuTLS. NB. No systemd here to fek with things!
On 9/20/21 13:11, Viktor Dukhovni via Exim-users wrote:
If you care about SMTP transport security, do DANE, but make sure you
implement monitoring and a robust key rollover process. Just turning
DANE on and neglecting it does nobody any good.
May be worth mentioning - Comcast will send TLS-
On Mon, Sep 20, 2021 at 09:13:11PM +0200, exim-users--- via Exim-users wrote:
> > This is where our priorities differ. Barring a practical downgrade
> > attack on SMTP STARTTLS made possible by keeping TLS 1.0 enabled, I
> > see little reason yet to force the remaining TLS 1.0 to use cleartext.
>
Hi Victor,
on 20.09.21 17:43, Viktor Dukhovni via Exim-users wrote:
>> Anyway: My main goal is to protect credentials of my users, if I would
>> enable TLS1.1 and lower, I would risk that this communication is not
>> secured adequately.
>
> Indeed, that's why I would recommend a floor of TLS 1.2
> On 20 Sep 2021, at 12:24 pm, Andrew C Aitchison via Exim-users
> wrote:
>
> DROWN makes me think it would be sensible not to use the same certificate for
> SMTP with TLS 1.0 or 1.1
> and any non-SMTP service
> - particularly webmail.
Actually, don't share mail certificates with web certifica
On Mon, 20 Sep 2021, Viktor Dukhovni via Exim-users wrote:
On Mon, 20 Sep 2021 "Thomas" wrote:
Any site, that does not support at least TLS 1.2 is running absolutely
outdated software. GnuTLS handshake errors are logged very few times
(<<1% of the messages), I suppose that enabling TLS1.1 and lo
On Mon, Sep 20, 2021 at 12:12:02PM +0200, exim-users--- via Exim-users wrote:
> > There's little to nothing particularly wrong with TLS 1.0 for SMTP,
> > and certainly nothing that's fixed in TLS 1.1, so if the floor isn't
> > TLS 1.2 it should be 1.0 (I still recommend leaving it enabled for
> >
Viktor Dukhovni via Exim-users writes:
> On Sat, Sep 18, 2021 at 09:45:28PM +0100, Andrew C Aitchison via
> Exim-users wrote:
>
>> > Besides this: About 85% of the incoming traffic is still unencrypted
>> > (for my statistics, mainly because some high volume mailing list
>> > servers do not use T
Hi,
On 18.09.21 23:14, Viktor Dukhovni via Exim-users wrote:
>>> Besides this: About 85% of the incoming traffic is still unencrypted
>>> (for my statistics, mainly because some high volume mailing list
>>> servers do not use TLS), about 10% uses TLS1.3, 5% still uses TLS1.2
>>> (I log TLS ciphers
Hi Andrew,
On 18.09.21 22:45, Andrew C Aitchison via Exim-users wrote:
>> I use testssl.sh (https://testssl.sh/) to verify my configuration
>> (as there is nothing handy like the Qualys Test for HTTPS, IMHO).
>
> Hardenize https://www.hardenize.com/ is not bad.
Yes, Hardenize is a good start, I
On Sat, Sep 18, 2021 at 09:45:28PM +0100, Andrew C Aitchison via Exim-users
wrote:
> > Besides this: About 85% of the incoming traffic is still unencrypted
> > (for my statistics, mainly because some high volume mailing list
> > servers do not use TLS), about 10% uses TLS1.3, 5% still uses TLS1.2
On Sat, 18 Sep 2021, exim-us...@thomas.freit.ag via Exim-users wrote:
I use testssl.sh (https://testssl.sh/) to verify my configuration
(as there is nothing handy like the Qualys Test for HTTPS, IMHO).
Hardenize https://www.hardenize.com/ is not bad.
Testing robust (perfect) forward secrec
On Sat, Sep 18, 2021 at 10:58:33AM +0100, Sabahattin Gucukoglu via Exim-users
wrote:
> Is there really a good reason? I do it chiefly because I like
> OpenSSL’s cipher selection (I want very permissive, ordered by
> @STRENGTH, and TLS 1.3 would be nice). There were also horror stories
> about RNG
Ahoj,
Dňa Sat, 18 Sep 2021 18:25:07 +0200 exim-users--- via Exim-users
napísal:
> tls_require_ciphers =
> PFS:SECURE256:SECURE192:-3DES-CBC:-CURVE-SECP192R1:-CURVE-SECP224R1:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-NULL:+VERS-TLS1.3:-MD5:%SERVER_PRECEDENCE:%FORCE_ETM
I have something similar, bu
Hi Sabahattin,
On 18.09.21 11:58, Sabahattin Gucukoglu via Exim-users wrote:
> Is there really a good reason? I do it chiefly because I like OpenSSL’s
> cipher selection (I want very permissive, ordered by @STRENGTH, and TLS 1.3
> would be nice). There were also horror stories about RNG entropy
On 2021-09-18 Sabahattin Gucukoglu via Exim-users wrote:
> Debian always builds Exim against GnuTLS, in its “heavy” variation,
> but I’ve always resisted by building against OpenSSL (and,
> incidentally, taken the time to tweak it for me). On the face of it
> that’s fine, except …
> Is there real
Ahoj,
Dňa Sat, 18 Sep 2021 10:58:33 +0100 Sabahattin Gucukoglu via Exim-users
napísal:
> Is there really a good reason? I do it chiefly because I like
> OpenSSL’s cipher selection (I want very permissive, ordered by
> @STRENGTH, and TLS 1.3 would be nice). There were also horror stories
> about
Debian always builds Exim against GnuTLS, in its “heavy” variation, but I’ve
always resisted by building against OpenSSL (and, incidentally, taken the time
to tweak it for me). On the face of it that’s fine, except …
Is there really a good reason? I do it chiefly because I like OpenSSL’s cipher
20 matches
Mail list logo