On Tue, May 20, 2014 at 12:03:29PM +0100, Colin Fowler wrote:
> ADH is susceptible to MITM attacks, but I can't seem to turn it off.
Opportunistic TLS, which is all that is possible for SMTP without
DANE (DNSSEC with TLSA records for SMTP) is vulnerable to multiple
MiTM attacks, and turning off NULL authentication cipher-suites
does not change this, it just sweeps the problem (that clients
don't and can't authenticate your server) under the rug. See:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-09#section-1.3
> I've tried various permutations of
Your attempts are misguided. It is best to leave aNULL cipher-suites
enabled. See:
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-09#section-8.2
--
Viktor.
