> On Mar 15, 2021, at 6:24 AM, Heiko Schlittermann via Exim-dev
> wrote:
>
> If the next hop's hostname comes from insecure DNS, you're right. If the
> next hop's hostname is hard-wired into the configuration (as typically
> found in "use-a-smarthost" setups), I believe, it's useful to check
Viktor Dukhovni via Exim-dev (So 14 Mär 2021 14:33:21 CET):
> For the record, the expectation is:
>
> - Absent DANE TLSA records, the literal MX hostname, which is
>of course insecurely obtained from MX records, so validation
>is mostly an exercise in futility. It would only mean
For the record, the expectation is:
- Absent DANE TLSA records, the literal MX hostname, which is
of course insecurely obtained from MX records, so validation
is mostly an exercise in futility. It would only mean something
if MTA-STS were implemented, but Exim does not MTA-STS last I
https://bugs.exim.org/show_bug.cgi?id=2594
Heiko Schlittermann changed:
What|Removed |Added
CC||h...@schlittermann.de
--- Comment #11
https://bugs.exim.org/show_bug.cgi?id=2594
Jeremy Harris changed:
What|Removed |Added
CC||j...@ziepe.ca
--- Comment #10 from Jeremy
https://bugs.exim.org/show_bug.cgi?id=2594
Jeremy Harris changed:
What|Removed |Added
See Also||https://bugs.exim.org/show_
|
https://bugs.exim.org/show_bug.cgi?id=2594
Jeremy Harris changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://bugs.exim.org/show_bug.cgi?id=2594
Git Commit changed:
What|Removed |Added
CC||g...@exim.org
--- Comment #8 from Git Commit ---
https://bugs.exim.org/show_bug.cgi?id=2594
Jeremy Harris changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #7 from Jeremy Harris ---
On 09/06/2020 18:33, Viktor Dukhovni via Exim-dev wrote:
> Perhaps so, but in the context of everything else in RFC6125, and the
> specs for other protocols, ... it is fairly clear (to me anyway) that
> the intent is to match the SMTP server name prior to CNAME expansion,
> just like the
On Tue, Jun 09, 2020 at 04:41:33PM +0100, Jeremy Harris via Exim-dev wrote:
> On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote:
> > Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4
> >
> > The original reported is right.
>
> No, it's worse. If you take that RFC 3207 wording
On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote:
> On Mon, Jun 08, 2020 at 12:48:22PM +, admin--- via Exim-dev wrote:
>
>> https://bugs.exim.org/show_bug.cgi?id=2594
>>
>> --- Comment #1 from Jeremy Harris ---
>> Can you locate a standards document specifying the name that should be
On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote:
> On Mon, Jun 08, 2020 at 12:48:22PM +, admin--- via Exim-dev wrote:
>
>> https://bugs.exim.org/show_bug.cgi?id=2594
>>
>> --- Comment #1 from Jeremy Harris ---
>> Can you locate a standards document specifying the name that should be
https://bugs.exim.org/show_bug.cgi?id=2594
--- Comment #6 from Chris Paulson-Ellis ---
(In reply to Phil Pennock from comment #5)
> In the original bug-report here:
>
> """
> Cert hostname to check: "mail.edesix.local"
> Setting TLS SNI "mail.dev.edesix.com"
> """
>
> That is clearly an
https://bugs.exim.org/show_bug.cgi?id=2594
Phil Pennock changed:
What|Removed |Added
CC||p...@exim.org
--- Comment #5 from Phil Pennock
On Mon, Jun 08, 2020 at 12:48:22PM +, admin--- via Exim-dev wrote:
> https://bugs.exim.org/show_bug.cgi?id=2594
>
> --- Comment #1 from Jeremy Harris ---
> Can you locate a standards document specifying the name that should be checked
> against the certificate?
Yes:
https://bugs.exim.org/show_bug.cgi?id=2594
--- Comment #4 from Chris Paulson-Ellis ---
The STARTTLS RFC 3207 is not very helpful, describing it as a local matter and
using words like probably:
4.1 Processing After the STARTTLS Command
...
The decision of whether or not to believe the
https://bugs.exim.org/show_bug.cgi?id=2594
--- Comment #3 from Jeremy Harris ---
All very well... but an MTA is not a browser.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at
https://bugs.exim.org/show_bug.cgi?id=2594
--- Comment #2 from Chris Paulson-Ellis ---
I thought you might ask that :-)
I don't think this specific issue is explicitly addressed in either the SMTP,
TLS or HTTPS RFCs. HTTPS is quite clear that the name being tested comes from
the URI, but
https://bugs.exim.org/show_bug.cgi?id=2594
--- Comment #1 from Jeremy Harris ---
Can you locate a standards document specifying the name that should be checked
against the certificate?
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at
https://bugs.exim.org/show_bug.cgi?id=2594
Chris Paulson-Ellis changed:
What|Removed |Added
Summary|CNAME handing can break TLS |CNAME handling can break
21 matches
Mail list logo