From 8985012787adcd5c6c57f2cc19bc66da78ed8610 Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Fri, 6 Sep 2019 12:58:36 +0200
Subject: [PATCH] Add acl snippet as a mitigation method

---
 templates/static/doc/security/CVE-2019-15846.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/templates/static/doc/security/CVE-2019-15846.txt b/templates/static/doc/security/CVE-2019-15846.txt
index 3a78aa5..aabdf1d 100644
--- a/templates/static/doc/security/CVE-2019-15846.txt
+++ b/templates/static/doc/security/CVE-2019-15846.txt
@@ -27,6 +27,11 @@ Mitigation
 
 Do not offer TLS. (This mitigation is not recommended.)
 
+For a attacking SNI the following ACL snippet should work:
+
+    # to be prepended to your mail acl (acl_smtp_mail)
+    deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
+
 Fix
 ===
 
-- 
2.30.2