Add acl snippet as a mitigation method

author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Fri, 6 Sep 2019 10:58:36 +0000 (12:58 +0200)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Fri, 6 Sep 2019 10:58:36 +0000 (12:58 +0200)
author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Fri, 6 Sep 2019 10:58:36 +0000 (12:58 +0200)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Fri, 6 Sep 2019 10:58:36 +0000 (12:58 +0200)
diff --git a/templates/static/doc/security/CVE-2019-15846.txt b/templates/static/doc/security/CVE-2019-15846.txt

index 3a78aa527df38502a60c0c9439f82ee10ff18dcf..aabdf1d9da933fb309d8535626e738381daee029 100644 (file)
--- a/templates/static/doc/security/CVE-2019-15846.txt
+++ b/templates/static/doc/security/CVE-2019-15846.txt
@@ -27,6 +27,11 @@ Mitigation
  
  Do not offer TLS. (This mitigation is not recommended.)
  
+For a attacking SNI the following ACL snippet should work:
+
+    # to be prepended to your mail acl (acl_smtp_mail)
+    deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
+
  Fix
  ===
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Fri, 6 Sep 2019 10:58:36 +0000 (12:58 +0200)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Fri, 6 Sep 2019 10:58:36 +0000 (12:58 +0200)