On 28/03/18 10:43, Mark Elkins via Exim-users wrote: > I've no idea if its possible to allow weaker encryption for > opportunistic connections > but enforce stronger encryption types on DANE compliant connections?
tls_required_ciphers on the smtp transport is expanded; do a dnsdb lookup (or series) probing for the existence of TLSA records, and tune the ciphers depending on that. How complicated you want to make it depends on how closely you want to emulate the actual DANE lookup sequence. I'd not suggest worrying about the content of the TLSA records, for example. You'll be doubling the traffic to the resolver, if that's a factor. I strongly suggest you should be running a caching resolver locally, but YMMV. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
