On Mon, 20 Sep 2021, Viktor Dukhovni via Exim-users wrote:
On Mon, 20 Sep 2021 "Thomas" wrote:
Any site, that does not support at least TLS 1.2 is running absolutely
outdated software. GnuTLS handshake errors are logged very few times
(<<1% of the messages), I suppose that enabling TLS1.1 and lower would
not increase encrypted connections very much.
Indeed, but my take is that some encryption is better than no
encryption, see <https://datatracker.ietf.org/doc/html/rfc7435>.
Anyway: My main goal is to protect credentials of my users, if I would
enable TLS1.1 and lower, I would risk that this communication is not
secured adequately.
Indeed, that's why I would recommend a floor of TLS 1.2 for portss 587
and 465, but not necessarily port 25.
Additionally, I enforce encryption (TLS1.2+) on outgoing connections
(only very few sites do not support that, I maintain a list of
exceptions, when I see mails lingering in the queue).
This is where our priorities differ. Barring a practical downgrade
attack on SMTP STARTTLS made possible by keeping TLS 1.0 enabled, I
see little reason yet to force the remaining TLS 1.0 to use cleartext.
(Yes I'm aware of past cross-protocol attacks, see the author list of
DROWN: <https://drownattack.com/drown-attack-paper.pdf>)
Anyway, your call of course. My take is that supporting TLS 1.0 does
not in any practical way reduce the security of email sent to sites that
support TLS 1.2 or 1.3. TLS version negotiation is downgrade resistant.
Downgrades would in any case require an active attack, and SMTP STARTTLS
does not defend against active attacks. Far easier to just strip
STARTTLS than to perform TLS version downgrades.
DROWN makes me think it would be sensible not to use the same
certificate for SMTP with TLS 1.0 or 1.1 and any non-SMTP service
- particularly webmail.
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
