[Ach] Exim section
Wolfgang Breyha
wolfgang.breyha at univie.ac.at
Tue Feb 24 19:17:15 CET 2015
On 24/02/15 17:30, Sebastian wrote:
> I just had to configure a Exim server and found some things that
> probably need work:
>
> The definition of cert and key paths is in every section (submission,
> incoming, client). This can be probably cut down to one at the beginning.
Maybe for MSA and MTA, not for client. Since we decided to make different
recommendations for MTA and MSA it makes sense to provide two distinct
sections.
For client mode it seems you have missed the
"... have to be done in the configuration section of the smtp
transport..."-part.
>> Add the following rules on top of your acl_smtp_mail:
>> [Listing ...]
>> This switches Exim to submission mode and allows addition of missing
>> “Message-ID” and “Date” headers.
> This does not belong in this guide. This has nothing to do with transport
> crypto.
And therefor we should not give the minimum requirement to switch Exim to
MSA mode in the MSA section?
>> It is not advisable to restrict the default cipher list for MSA mode if you don’t know all connecting
>> MUAs. If you still want to define one please consult the Exim
>> documentation or ask on the exim-users mailinglist.
> This refers to the docs to change the cipher string. But in "SMTP in
> general" we have:
>> For MSA operation we recommend: [...]
>> optionally use the recommended cipher suites if (and only if) all your
>> connecting MUAs support them
> I think it should be described how to do that. The admin decides if he
> deploys the settings we recommend here.
You changed the order. First we recommend "in general". Afterwards we give
a stricter opinion for Exim.
This is because the Exim Maintainers gave a clear statement that they do
not recommend to change cipher suites. Since I'm part of this community I
wont do the opposite. We should refer to the Exim docs and exim-users which
is the best place for Exim admins anyway. An admin who followed our
recommendation to read
http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
first, already knows how to change cipher suites, anyway. Those who didn't
are not skilled enough to make a decision of this kind.
> Another paragraph with possibly too generic content:
>> Exim string expansion: Note that most of the options accept expansion strings. This way you can
>> e.g. set cipher lists or STARTTLS advertisement conditionally. Please
>> follow the link to the official Exim documentation to get more
> information.
A hint. Nothing more. Exim string expansion is not topic of this document,
but it's worth mentioning it.
Greetings, Wolfgang
--
Wolfgang Breyha <wolfgang.breyha at univie.ac.at> | http://www.blafasel.at/
Vienna University Computer Center | Austria
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150224/3cc9f125/attachment.sig>
More information about the Ach
mailing list