On 2020-06-17 at 15:34 -0400, John R. Levine via Exim-users wrote: > For example, here's where you can find the MTA-STS for my iecc.com: > > https://mta-sts.iecc.com/.well-known/mta-sts.txt
My stance on MTA-STS is that it's reasonable to advertise to get the big players talking to you, but it's a spiralling trap of trust-stores with the same social failure mode which caused TLSA Usages 0 and 1 to be rejected for use in SMTP (or really any federated service). So I've spoken out against implementing MTA-STS as a client, but at the same time documented for folks how to implement it so that others (gorillas) can use it. Which is why: <https://mta-sts.exim.org/.well-known/mta-sts.txt> works. Originally purely so that mail from Gmail would be secured. (Originally setup, perhaps for the JSON variant (I forget), in 2017) I thought we at least had a wiki page on it. We don't. It's really nothing specific to Exim though, since it's just static data publication and entirely outside Exim's remit. > Looking at the mail logs for my servers, it's pretty clear that Exim doesn't > send SNI. Exim sends SNI if it has a reasonable value to send. In the absence of DNSSEC, there's nothing reasonable to default to. We have an old branch (from 2018) where I made it default to the mail-domain if not otherwise set, because TLS1.3 mandates SNI. Looks like that was a "how about this idea" proposal and we didn't go with it. I keep mentally thinking that we're setting this automatically when DANE is in play but it looks like we never got around to that. Ah, I stopped relying on fallible memory and filed a bug about it: <https://bugs.exim.org/show_bug.cgi?id=2265> and we paused on "if we flat-out ignore the configured value for DANE, we lose flexibility" ... but I suspect we should go ahead and flat-out ignore it, as we do for several other TLS options once DANE is in play. So at present, "reasonable value" still means statically configured. > doesn't have any way to select a certificate using SNI. This is not hard to > fix; I added SNI support to the mailfront SMTP daemon in a couple of hours. Exim has supported using the inbound TLS SNI value in the expansion controls for choosing keys and certs, etc, since I added support for Exim 4.80 (change PP/17) in 2012. With both OpenSSL and GnuTLS crypto libraries. The concept index at: <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html> links to the various places in the documentation which describe our SNI behavior. Most pertinently: <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni> -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
