On 15/03/2019 13:16, Alice Wonder via Exim-users wrote: > use a default > policy of encrypt so that cleartext is never used (e.g. doctors office > where you don't want passive snooping to be able to extract private > medical information about a patient), and under a default policy of > encrypt, it then has to be told to use DANE instead for domains that > support DANE. Not sure if Exim dane support works the same way.
A transport with hosts-require-tls and hosts-try-dane both set, used by a router picking out those domains > > Also domains without DANE sometines use MTA-STS and STARTTLS Everywhere > policies to let an MTA know that they should require validated TLS > rather than opportunistic TLS. https://github.com/Exim/exim/wiki/starttls-everywhere will be of interest. > It appears that there is little interest in MTA-STS capabilities being > built-in to Exim Indeed. I gave up on internal support once using https became involved. That doesn't mean someone else couldn't expend the development effort. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
