Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-06 Thread Richard James Salts via Exim-dev
On Friday, 4 January 2019 2:02:20 AM AEDT Florian Zumbiehl via Exim-dev wrote: > Hi, > > > For the record, if you have a sensitive security issue, please mail > > > > secur...@exim.org > > well, that's good to know, I guess, but may I suggest you put that on the > website somewhere? It

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-05 Thread Florian Zumbiehl via Exim-dev
Hi, > Once one is logged in or creates a log-in to file a report, it really is > quite straightforward: > > http://www.exim.org/ --> [bugs] > https://bugs.exim.org/ --> [File a Bug] > https://bugs.exim.org/enter_bug.cgi which looks as attached Well, so, once you have done a bunch of steps that

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-04 Thread Andreas Metzler via Exim-dev
On 2019-01-04 Florian Zumbiehl via Exim-dev wrote: > On 2019-01-04 Jeremy Harris via Exim-dev wrote: >> On 04/01/2019 01:02, Florian Zumbiehl via Exim-dev wrote: >>> may I suggest you put that on the >>> website somewhere? >> It was already there, at https://bugs.exim.org/enter_bug.cgi > That

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-04 Thread Florian Zumbiehl via Exim-dev
Hi, > On 04/01/2019 01:02, Florian Zumbiehl via Exim-dev wrote: > > may I suggest you put that on the > > website somewhere? > > It was already there, at https://bugs.exim.org/enter_bug.cgi That page only tells me that "Bugzilla needs a legitimate login and password to continue.". Clicking

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-04 Thread Jeremy Harris via Exim-dev
On 04/01/2019 01:02, Florian Zumbiehl via Exim-dev wrote: > may I suggest you put that on the > website somewhere? It was already there, at https://bugs.exim.org/enter_bug.cgi -- Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-03 Thread Florian Zumbiehl via Exim-dev
Hi, > For the record, if you have a sensitive security issue, please mail > secur...@exim.org well, that's good to know, I guess, but may I suggest you put that on the website somewhere? Just put a text file in https://www.exim.org/static/doc/security/ or something, that's linked as

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-02 Thread Jeremy Harris via Exim-dev
For the record, if you have a sensitive security issue, please mail secur...@exim.org -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-02 Thread Florian Zumbiehl via Exim-dev
Hi, > If we're changing `$host` based upon CNAMEs in DNS, then yes this will > do The Wrong Thing. It might be a security problem then, because the > normally-insecure DNS changes the name we validate the certificate > against. We can't rely upon DNSSEC for this default example config. Yes,

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-21 Thread Phil Pennock via Exim-dev
On 2018-12-20 at 20:50 +, Jeremy Harris via Exim-dev wrote: > The wording "should be" could be relaxed slightly, maybe, since it isn't > required by Exim's parsing. "It is simplest to", perhaps? Didn't we used to require it? I forget. Feel free to update it. > I see you quietly removed

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-20 Thread Jeremy Harris via Exim-dev
On 19/12/2018 00:51, Phil Pennock via Exim-dev wrote: > I think this change is generally useful, in having a cleaner setup for a > very common use-case, and showing exactly where new macros should be > defined, which can reduce some of the pain encountered by newcomers to > Exim. The wording

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-18 Thread Phil Pennock via Exim-dev
On 2018-12-17 at 18:44 -, Jasen Betts via Exim-dev wrote: > What does DANE say we shoud ask for? I remember it being non-obvious but > easily explained. However I don't however remember the detail. RFC 7672 section 2.2.2. If DNSSEC is available for every step along the way, for all CNAMEs in

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-17 Thread Andreas Metzler via Exim-dev
On 2018-12-17 Phil Pennock via Exim-dev wrote: > On 2018-12-16 at 10:42 +, Jeremy Harris via Exim-dev wrote: > > On 16/12/2018 10:20, Andreas Metzler via Exim-dev wrote: > > > 4.92rc1 adds this to the smarthost_smtp transport: > > > > > > tls_sni = $host > > > > > > I do not think that

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-17 Thread Jasen Betts via Exim-dev
On 2018-12-16, Phil Pennock via Exim-dev wrote: > On 2018-12-16 at 10:42 +, Jeremy Harris via Exim-dev wrote: >> On 16/12/2018 10:20, Andreas Metzler via Exim-dev wrote: >> > 4.92rc1 adds this to the smarthost_smtp transport: >> > >> > tls_sni = $host What does DANE say we shoud ask for? I

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-16 Thread Phil Pennock via Exim-dev
On 2018-12-16 at 10:42 +, Jeremy Harris via Exim-dev wrote: > On 16/12/2018 10:20, Andreas Metzler via Exim-dev wrote: > > 4.92rc1 adds this to the smarthost_smtp transport: > > > > tls_sni = $host > > > > I do not think that always works as expected. Depending on the DNS setup > > (CNAME,

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-16 Thread Jeremy Harris via Exim-dev
On 16/12/2018 10:20, Andreas Metzler via Exim-dev wrote: > 4.92rc1 adds this to the smarthost_smtp transport: > > tls_sni = $host > > I do not think that always works as expected. Depending on the DNS setup > (CNAME, round robin) $host will not contain the name of the selected > smarthost