On 2018-03-28 at 21:29 -0400, Phil Pennock via Exim-users wrote: > On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote: > > $smtp_found_dane or something? Note that DANE support is Experimental > > and feedback and requests are a good thing (patches even better!). > > Uh ... DANE graduated from Experimental, I forgot. Sorry. > > Am tentatively thinking that since so many other TLS-related Transport > options are ignored under DANE, and we don't require complicated > expansion rules, the cleanest and easiest would be to have a new option, > `dane_require_tls_ciphers`; if unset, `tls_require_ciphers` would be > used as the default, but if set and _IF_ DANE is in play, then this > cipherlist would be used instead. > > I'll code up a strawman for consideration.
This has been merged. I wrote the feature, Jeremy wrote the tests, the buildfarm was happy, I've merged it to master. This should be part of the imminent feature-freeze RC and thus part of Exim 4.91 -- probably the last thing to squeak in, but it fits as part of Jeremy's work maturing DANE: 4.91 will be the first release where DANE is "normal" not "experimental", with support both via OpenSSL and GnuTLS. SMTP Transport option dane_require_tls_ciphers -- exactly the same as tls_require_ciphers and falls back to tls_require_ciphers appropriately. Use it to specify a different cipher list for when DANE is in play. This makes it easier to be much stricter for hosts which appear to be doing security right, and where there is no plaintext fallback. With GnuTLS, where the string is interpreted as a "priority string", you can also turn on and off TLS/SSL protocol versions as part of the option. With OpenSSL, it's just ciphersuites. Have fun! -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
