Sam:
when I run `nmap --script vuln example.com` against a server I manage, I
get the following vulnerability on my server on both ports 465 and 587.
The only solutions I found are for legacy systems.
...and theose solutions are?
587/tcp open submission
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
On 07.01.23 07:36, Wietse Venema wrote:
Yes, anonymous ciphers do not authenticate. That is a feature, not
a bug. PKI alone cannot authenticate an SMTP server, that requires
DANE with DNSSEC.
This should apply especially on port 25 where the encryption is by default
optional.
on ports 465 and 587 where mandatory encryption is logical and default, one
can disable aDH by adding it to smtp_tls_mandatory_exclude_ciphers.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
