On 19/05/2019 19:12, Cyborg via Exim-users wrote: > Am 19.05.19 um 19:24 schrieb Jeremy Harris via Exim-users: >> On 19/05/2019 18:00, Cyborg via Exim-users wrote: >>> Problem is, that even if tls_1.2 is out since 2008, a communication >>> partner may use SSLv3 or TLS 1.0/1.1 and using just "encrypted = *" , >>> you will accept i >>> >>> It's better to check the protocol via $tls_cipher for tls 1.2 and 1.3 , >>> and reject anything not 1.2 or 1.3. >> If you are concerned about TLS versions, the easiest configuration >> is using tls_require_ciphers (for GnuTLS, where it is a GnuTLS priority >> string) or openssl_options (for OpenSSL). >> > ... and here reality kicks in :D Let me explain ... > > If you disable TLS < 1.2 for any tls host you get in contact with, > you may end with some important, but unfortunately created by > dump&dumper Corp (i.e. citrix), > and therefor without a working tls 1.2 or better mta equipped server, > which does not > transport personal, but vital system data. > > Which sums up @ : we wanne check tls 1.2+ for "normal" connections, but > may need to receive tls < 1.2 > for some special servers, but don't wanne make special cases in the > config file. We i.e. have the switches in > a db on a per case schema.
tls_require_ciphers is expanded, both main and transport versions. openssl_options is not; anybody interested could raise an RFE. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
