On Sat, Oct 30, 2021 at 02:56:40AM -0400, Viktor Dukhovni via Exim-users wrote: > On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users > wrote: > > > > Is it really true that for lack of valid certificate there's a way to > > > get Exim to fall back to cleartext instead??? > > > > If a host is in tls_verify_hosts and hosts_try_tls but not in > > hosts_require_tls exim will fall back to cleartext. (That is for the > > non-DANE case.) > > This seems like a footgun combination of configuration options. [...]
How Exim is doing TLS fallback is described here: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTclientTLS As I understand, peer's certificate validation failure is one variant of general TLS negotiation failure, resulting in fallback to plain text if tls_tempfail_tryclear option of SMTP transport is "true" (default). -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
