Am 28.03.2018 um 09:10 schrieb Konstantin Boyandin via Exim-users: > Hello, > > After having scanned 4.90.1 installation with OpenVAS, the below was > reported: > > 'Weak' cipher suites accepted by this service via the > TLSv1.0/TLSv1.1/TLSv1.2 protocols: TLS_RSA_WITH_SEED_CBC_SHA > > Default settings (no explicit "tls_require_ciphers", > "openssl_options") are in use. > > Can someone recommend simplest ciphers selection for Exim, to exclude > the mentioned cipher? The settings present on cipherli.st: > > tls_require_ciphers = AES128+EECDH:AES128+EDH > openssl_options = +no_sslv2 +no_sslv3 > > seem kind of too strict, there were reported problems receiving email > after the above were put in effect. > > Sincerely, > Konstantin >
in theorie: If you disable sslv3 your doing the world a big favor, but unfortunately, the world hates you for it. in practis: A "*******" of mailserver implementations worldwide still uses sslv3 to connect to your mailserver. Disabling it, removes your ability to get that email, which result in all sorts of problems. You can find a list of ciphers typically used here: https://marius.bloggt-in-braunschweig.de/2017/05/30/haeufigkeit-von-tls-ciphern/ This statistics was made by analyzing our mailservercluster ( which has also lead to some f****** hilarious discoveries in crypto fails in germanies "secure" goverment infrastructure . I could still LOL all the day :D ) As you can see from the list, a lot of connections are made with TLS 1.0, which has the same problems as sslv3 and should not be used. Even TLS 1.1 should not be used, but (again) a lot of systems don't care. If you rely on TLS 1.2 alone, your mailbox will stay empty most of the day. General guideline : First, make sure your server favors tls1.2 over any other protocol ( exim ensures it, so your good ) Second, make sure it favors a good cipher over weak ones. Use -LOW:-MID "You can only be as secure, as the other part of the connection wants you to be secure." Whats a good cipher ? Let others decide this, who know it better than you and me ;) https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet Cipherlist : A+ => A => B => C => C- best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
