Hi, this post is only relevant for European Corps or Organisations WITH mailerservers in or outside of the EU. if you are not based in the EU, you can skip this.
As a possible Mitigation for CVE-2019-15846 stopping to use TLS in form of tls_advertise_hosts = in your config, is a bigger deal, as you may think. Article 32 p 1 EU GDPR states, that the transport of personal data has to be protected, if it's easily possible, which it is, regarding TLS in mailservers. Here it's trivial, by just activation of it, in the exim.config, as it's trivial today in webservers like apache with the help of Lets Encrypt. This issue is already know to the data protection agencies in the EU, as they got explicitly informed about it in may 2018 by the EU technical group that "invented" the EU GDPR (before it got rewriten by advocates) . (How do i know? I initiated it ;) ) This means as a consequence, that if you disable TLS, it becomes a data protection violation. of course, noone will sue you, as the protection of your service comes first, but you have to inform your clients about this incident and you have to make a note about it. You simple can't keep it to yourself, if you are a company or organisation admin inside the EU. If you negate the attackvector without disabling TLS, all is fine for you. best regards, Marius ( JFYI, the hardcore consequence of Article 32 is, that you have to reject clear smtp connections without TLS 1.2+ protection. Thats because you don't know what clients may send via the unproctected connection, before they have send it. means, you have to protect the client from it, before it happens. Thats also the reason, why you have to use https with contact forms in websites since 2016 ) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
