On 2018-03-28 at 11:43 +0200, Mark Elkins via Exim-users wrote: > Begs the question, do DANE enabled machine therefore perhaps require a > stronger encryption - as their owners should know what they are doing? > > I've no idea if its possible to allow weaker encryption for > opportunistic connections > but enforce stronger encryption types on DANE compliant connections?
At present, it would require a bit of fiddling and logs-processing. We have `$tls_out_dane` but the value is determined far too late to be usable for setting `tls_require_ciphers` on the Transport. We'd probably want some other variable, set as soon as we have DNS signalling that DANE should be used, which can be referenced. $smtp_found_dane or something? Note that DANE support is Experimental and feedback and requests are a good thing (patches even better!). If not willing to edit Exim's source, then at present I'd just make sure that `log_selector` includes `+tls_certificate_verified` and look for `CV=dane` in the logs. A logs processor could identify all domains where that's seen, and things verified, and then update a DB of "domains we should use better crypto for". It's hacky, but then it would be the beginning of a lightweight reputation tracking system for outbound connections. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/