Hi, [re-post with a better subject] since there is currently a lot work done with respect to TLS information, I'd like to bring the following into discussion again.
What do you think about it? (Viktors opinion was, that we shouldn't leave the decision about aborting/continuing of the TLS session to the user, but I think, giving providing this option is more in the spirit of exim.) ----- Forwarded message from Heiko Schlittermann <[email protected]> ----- Date: Thu, 3 Apr 2014 23:27:20 +0200 From: Heiko Schlittermann <[email protected]> To: Phil Pennock <[email protected]> Cc: Viktor Dukhovni <[email protected]>, Todd Lyons <[email protected]> Subject: Re: DANE Phil Pennock <[email protected]> (Do 03 Apr 2014 21:23:27 CEST): > On 2014-04-03 at 15:46 +0000, Viktor Dukhovni wrote: > > Don't know about TLS authentication in Exim, can one specify per > > destination-domain peer names, fingerprints, trust anchors, ... > > Exim's client TLS verification, if enabled, is for certificate > validation but not hostname validation. That would need to be added. > You can specify trust anchors, yes. What about an smtp transport option *about* like this tls_continue = … +------------+---------+--------------+-------------+ |tls_continue|Use: smtp|Type: boolean*|Default: true| +------------+---------+--------------+-------------+ This option gets expanded right after the basic negotiation, before starting the "real session". <- 250 ESMTP -> EHLO … <- … -> STARTTLS <- 220 TLS … [ condition = false ] [ condition = true ] ~> QUIT ~> MAIL FROM: … This option could be used to do useful things with the certificate information we have (e.g. match the $hostname with the DN) -- Heiko
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
