Am 11.06.21 um 00:37 schrieb Jeremy Harris via Exim-users:
On 10/06/2021 13:52, Cyborg via Exim-users wrote:
After reading the paper a bit closer, rejecting the entire connection
when a HTTP headerline is detected,
seems to be only valid option here, as long as ALPN isn't implemented
widely.
Do we need ACL-level visibilty of a synprot-rejected line?
don't think so, as the first line of communication will be rejected,
there is no smtp happening.
Heikos suggestion to set smtp_max_synprot_errors = 0 is the
workaround to go atm.
But, ALPN implemented by what protocols?
All, but esmtp. Thats the whole point of ALPN. "You reject whats not
intendet for you."
The next level would be something like
- server option hosts_require_alpn
- client options hosts_offer_alpn, hosts_require_alpn
And logging.
as a consequence, yes. ATM only a few others have adopted ALPN, so you
can plan and implement those features without any hurry.
I can imagine, that gnutls, libre and opensslĀ also need time to offer
api functions to support or enable this. So it will take time anyway,
before it can be implemented fully. For the moment, a reject reaction on
any HTTP/ header or a default of 0 protocol errors would be sufficient.
Best regards,
marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
