------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1170 --- Comment #5 from Jeremy Harris <[email protected]> 2014-05-09 15:37:48 --- The above commit gets us partway there: we have observability (though as Bjoern notes, stronger hashes would be good). On the server side we can do enforcement in any post-TLS-startup ACL (meaning acl_smtp_helo, so long as you check for def:tls_in_cipher). There's a security argument for being able to reject the TLS startup negotiation but this would require another ACL (acl_smtp_tls ?) As a client we cannot do enforcement yet; this seems to need a TLS-verification transport option, returning boolean to accept/deny the connection. The possibilities here are couched in terms of "tools for the box", allowing flexibility for meeting not-yet-requested needs. There is an alternate view that such are too much rope to give the consumer, for they will get it wrong. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
