Do not offer TLS. (This mitigation is not recommended.)
+For a attacking SNI the following ACL snippet should work:
+
+ # to be prepended to your mail acl (the ACL referenced
+ # by the acl_smtp_mail main config option)
+ deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
+ deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
+
Fix
===
git://git.exim.org / exim-website.git / blobdiff