Sam:
> Hello everyone
>
> when I run `nmap --script vuln example.com` against a server I manage, I
> get the following vulnerability on my server on both ports 465 and 587.
> The only solutions I found are for legacy systems.
>
>
> 587/tcp open submission
> | ssl-dh-params:
> | VULNERABLE:
> | Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
> | State: VULNERABLE
> | Transport Layer Security (TLS) services that use anonymous
> | Diffie-Hellman key exchange only provide protection against passive
Yes, anonymous ciphers do not authenticate. That is a feature, not
a bug. PKI alone cannot authenticate an SMTP server, that requires
DANE with DNSSEC.
Wietse
