Cyborg via Exim-users wrote on 14.05.2025 11:36:
> Am 14.05.25 um 09:59 schrieb Viktor Ustiuhov via Exim-users:
>>> Reading a little more, I see that I should use:
>>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{*}{*}}
>> That doesn't make sense. Maybe you meant
>>
>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>
> you are both wrong with this suggestion:
>
> If you just test IF a cipher is present, you can end up with allowing
> TLS1.0, depending on the security policy and ssl config in the system.
I do not see any requirement in the task to limit the version of TLS, so
the solution fully complies with the conditions of the task.
> What you really wanne do is to test, that
>
> a) it's filled at all
> b) test for TLS 1.2 and 1.3
>
> because everything else is broken & insecure.
If everything else is broken & insecure, then you have chosen the wrong
place to restrict the version of TLS. See tls_require_ciphers
andespecially openssl_options.
So to my mind you are wrong with this suggestion.
> with OPENSSL i.e. in acl_check_mail:
>
> deny condition = ${if eq{${substr_0_6:$tls_cipher}}{TLS1.2} {0}{1}}
> condition = ${if eq{${substr_0_6:$tls_cipher}}{TLS1.3} {0}{1}}
> message = Sender did not use TLSv1.2+ secured connections.
>
> of cause you can put this test in another form at another place, it's
> just an example.
>
> don't forget to add this on your transport too or you send out
> unencrypted mails and get sued for it.
>
>
> best regards,
> Cyborg
--
Best wishes Viktor Ustiuhov
mailto:vic...@corvax.kiev.ua
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
