On 2013-07-22 at 17:45 +0200, Wolfgang Breyha wrote: > I recently changed our configuration to verify SSL certificates. > > I recognized that this changed the behaviour of exim on outgoing connections. > If verification fails he cancels the connection and sends it on a clear > channel. The only way to avoid that is to set host_require_tls = *. But this > means that there is no fallback then. > > I primarily activated verification to be able to log that part of information. > But since I can't get the same behaviour as without verification I think I've > to deactivate it again since I care more about encryption on the wire. Or is > there something I missed in the documentation of the smtp transport?
Not that I know of; I wanted to do the same thing, a while back, haven't fixed it yet. Really, want tls_try_verify_hosts for Exim-as-client, not just Exim-as-server. > In case I didn't, wouldn't it be practical to be able to encrypt even if > verification fails on outgoing delivery? Yes, especially since Exim is only validating the certificate chain, not the claimed hostname. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
