Why not just disable the impacted ciphers? This seems reasonable to me: tls_require_ciphers = -ALL:+HIGH:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-MD5:AES256-SHA:AES128-SHA
On Fri, Oct 17, 2014 at 6:44 AM, Viktor Dukhovni <[email protected]> wrote: > On Fri, Oct 17, 2014 at 02:44:16AM -0400, Chris Siebenmann wrote: > > > (This is not to say that you should leave SSLv3 on. I'd turn it off > > for various reasons, including that it's ancient.) > > My advice is to leave it on. I understand that turning it off > feels good, and may even appease some auditors, but the net effect > of turning it off for SMTP is very slightly negative. A tiny, but > perhaps sensitive, fraction of systems (some older anti-spam/anti-virus > appliances) will now only be able to send you email in the clear. > > If you want to gain some security, consider disabling RC4 on port > 587, where TLS should be mandatory, and if any of the submission > clients are "bots" or other MTAs that use PLAIN auth, RC4 might > leak their credentials after some millions of messages. > > All this said, most sites that choose to disable SSLv3, will likely > not notice any difference either way. The fraction of SMTP traffic > that is SSLv3 is tiny for most domains. > > -- > Viktor. > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- Brent Jones [email protected] -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
