On 08/05/14 15:45, Heiko Schlittermann wrote:
What about an smtp transport option *about* like thistls_continue = … +------------+---------+--------------+-------------+ |tls_continue|Use: smtp|Type: boolean*|Default: true| +------------+---------+--------------+-------------+ This option gets expanded right after the basic negotiation, before starting the "real session". <- 250 ESMTP -> EHLO … <- … -> STARTTLS <- 220 TLS … [ condition = false ] [ condition = true ] ~> QUIT ~> MAIL FROM: … This option could be used to do useful things with the certificate information we have (e.g. match the $hostname with the DN)
Oddly-enough I was musing earlier today about some form of callback being made into exim.conf space for each layer of certificate in a (CA-based) trust chain, during TLS connection startup. Feels like we're playing in the same space. Since a simple expansion can call a custom ACL, which might be given visibility of that certificate, we can get as complex as we want. It would be able to do the checking of SN/SAN against the peer name (hmm. Which one? The MX?) if we didn't get around to hardwiring that (and apparently if we did hardwire it we'd need an exception for DANE... is that true?) It would also be able to trigger full-fat OCSP (not stapling) lookups on the intermediate certificates, which was where I started. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
