Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Slavko via Exim-users
Dňa 29. marca 2023 21:11:05 UTC používateľ Evgeniy Berdnikov via Exim-users napísal: > One can generate self-signed certs, paying 2 cents, but you can't generate > trust for such amount of money. Trust to public CAs can be measured by cost > of related risks and business, starting from hundreds

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Slavko via Exim-users
Dňa 29. marca 2023 20:27:30 UTC používateľ Viktor Dukhovni via Exim-users napísal: >On Wed, Mar 29, 2023 at 06:59:42PM +, Slavko via Exim-users wrote: >> Do you expect that all these domains have to use >> the same name in MX? Or do you expect thousands certs >> on that MTA? > >Either will

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Evgeniy Berdnikov via Exim-users
On Wed, Mar 29, 2023 at 06:59:42PM +, Slavko via Exim-users wrote: > Why in hell the certificate signed by same (anonymous for me) > group (understand CA) is considered as secure, but certificate > signed by my own CA is not ? Only because someone (anonymous > for me again) decided that these

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Viktor Dukhovni via Exim-users
On Wed, Mar 29, 2023 at 06:59:42PM +, Slavko via Exim-users wrote: > Verifying name in case of SMTP has another problem -- which > name to verify? Recipient's domain name? Name from MX? Or > frpm PTR? You know they often differs, at least in that that MX > is subdomain or even totally

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Jeremy Harris via Exim-users
On 29/03/2023 17:59, Viktor Dukhovni via Exim-users wrote: It is (at least in Postfix) also possible Please note that this mailing list is not focussed on Postfix. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Slavko via Exim-users
Dňa 29. marca 2023 16:24:22 UTC používateľ Bill Cole via Exim-users napísal: >On 2023-03-29 at 04:46:17 UTC-0400 (Wed, 29 Mar 2023 10:46:17 +0200) >Kirill Miazine via Exim-users >is rumored to have said: > >> Exactly. The former preventing passive data collection, the later -- >> active. Still,

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Viktor Dukhovni via Exim-users
On Wed, Mar 29, 2023 at 12:24:22PM -0400, Bill Cole via Exim-users wrote: > On 2023-03-29 at 04:46:17 UTC-0400 (Wed, 29 Mar 2023 10:46:17 +0200) > Kirill Miazine via Exim-users is rumored to have said: > > > Exactly. The former preventing passive data collection, the later -- > > active. Still,

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Bill Cole via Exim-users
On 2023-03-29 at 04:46:17 UTC-0400 (Wed, 29 Mar 2023 10:46:17 +0200) Kirill Miazine via Exim-users is rumored to have said: Exactly. The former preventing passive data collection, the later -- active. Still, if *I* were to state a legal requirement that certain domains use TLS, I'd also ask

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Jeremy Harris via Exim-users
On 29/03/2023 10:40, Slavko via Exim-users wrote: Dňa 29. 3. o 10:56 Olaf Hopp (SCC) via Exim-users napísal(a): decided still to live with 2 pairs of routers and transports and keep in mind, when I change one of them, I have to change the other one as well. And what about include common

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Mark Elkins via Exim-users
The subject line caught my interest. My mail domain is DNSSEC Signed and I have SSL/TLS Certificates (Let's Encrypt - which I've automated) that cover it - and have implemented TLSA records for my mail server a few years back. So if the recipient SMTP server also happens to have a TLSA DNS

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Slavko via Exim-users
Dňa 29. 3. o 10:56 Olaf Hopp (SCC) via Exim-users napísal(a): On 3/28/23 15:59, Mike Tubby via Exim-users wrote: Jeremys proposal sounded promising at first look, but after his correction that I have to use "max_rcpts = 1" and that these are my main routers / transports handling ~200k Mails

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Slavko via Exim-users
Dňa 29. 3. o 10:22 Evgeniy Berdnikov via Exim-users napísal(a): On Wed, Mar 29, 2023 at 09:40:16AM +0200, Kirill Miazine via Exim-users wrote: I understand it might help a little bit to require TLS, but without verficiation that a certificate is valid, TLS requirement is not such a big win, is

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Olaf Hopp (SCC) via Exim-users
On 3/28/23 15:59, Mike Tubby via Exim-users wrote: Hi Olaf, outbound_force_tls:     driver = dnslookup     domains = +tls_force_remote_domains     transport = remote_smtp_force_tls outbound_lookup:     driver = dnslookup     domains = ! +local_domains    

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Kirill Miazine via Exim-users
• Evgeniy Berdnikov via Exim-users [2023-03-29 11:22]: > On Wed, Mar 29, 2023 at 09:40:16AM +0200, Kirill Miazine via Exim-users wrote: > > I understand it might help a little bit to require TLS, but without > > verficiation that a certificate is valid, TLS requirement is not such > > a big win,

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Evgeniy Berdnikov via Exim-users
On Wed, Mar 29, 2023 at 09:40:16AM +0200, Kirill Miazine via Exim-users wrote: > I understand it might help a little bit to require TLS, but without > verficiation that a certificate is valid, TLS requirement is not such > a big win, is it? Depends on your aims. Pure encryption is one level of

Re: [exim] Something like "domains_require_tls"

2023-03-29 Thread Kirill Miazine via Exim-users
I understand it might help a little bit to require TLS, but without verficiation that a certificate is valid, TLS requirement is not such a big win, is it? I too have a transport that would require TLS for certain sending domains, but I haven't yet required TLS verification, because it often

Re: [exim] Something like "domains_require_tls"

2023-03-28 Thread Mike Tubby via Exim-users
Hi Olaf, I had a similar problem several years ago, but had to ensure TLS in and TLS out to potentially hundreds of domains so implemented in in our mail relay servers using a MySQL database: CREATE TABLE `tls_force_remote_domains` (   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,  

Re: [exim] Something like "domains_require_tls"

2023-03-27 Thread Slavko via Exim-users
Dňa 27. 3. o 10:49 Jasen Betts via Exim-users napísal(a): On 2023-03-23, Jeremy Harris via Exim-users wrote: rather than the multi_domain; I'm not certain that there's coding in the transport to check for all-same-domain when expanding $domain. It did check the last time that I looked, if

Re: [exim] Something like "domains_require_tls"

2023-03-27 Thread Jasen Betts via Exim-users
On 2023-03-23, Jeremy Harris via Exim-users wrote: > On 23/03/2023 16:01, Jeremy Harris via Exim-users wrote: >> allsmtp: >>  driver = smtp >>  hosts_require_tls = ${if  >> match_domain{$domain}{+domainlist-with-TLS-Domains} {*}{}} >>  multi_domain = false > > Actually, better have >

Re: [exim] Something like "domains_require_tls"

2023-03-24 Thread Jeremy Harris via Exim-users
On 24/03/2023 14:45, Olaf Hopp (SCC) via Exim-users wrote: Am I missing something ? The behaviour defined in the docs does not cover your use. The actual implementation, and behaviour, could change underneath you. -- Cheers, Jeremy -- ## List details at

Re: [exim] Something like "domains_require_tls"

2023-03-24 Thread Olaf Hopp (SCC) via Exim-users
On 3/24/23 13:42, Jeremy Harris via Exim-users wrote: On 24/03/2023 12:28, Olaf Hopp (SCC) via Exim-users wrote: Do you think "multi_domain = false" is not worth for trying ? Corrrect. But seems to work: <= olafh...@kit.edu => f...@example.com ... X=TLS... example.com is the Domain

Re: [exim] Something like "domains_require_tls"

2023-03-24 Thread Jeremy Harris via Exim-users
On 24/03/2023 12:28, Olaf Hopp (SCC) via Exim-users wrote: Do you think "multi_domain = false" is not worth for trying ? Corrrect. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with

Re: [exim] Something like "domains_require_tls"

2023-03-24 Thread Olaf Hopp (SCC) via Exim-users
On 3/23/23 17:19, Jeremy Harris via Exim-users wrote: On 23/03/2023 16:01, Jeremy Harris via Exim-users wrote: allsmtp:   driver = smtp   hosts_require_tls = ${if match_domain{$domain}{+domainlist-with-TLS-Domains}  {*}{}}   multi_domain = false Actually, better have     max_rcpt = 1 rather

Re: [exim] Something like "domains_require_tls"

2023-03-23 Thread Jeremy Harris via Exim-users
On 23/03/2023 16:01, Jeremy Harris via Exim-users wrote: allsmtp:  driver = smtp  hosts_require_tls = ${if match_domain{$domain}{+domainlist-with-TLS-Domains}  {*}{}}  multi_domain = false Actually, better have max_rcpt = 1 rather than the multi_domain; I'm not certain that there's

Re: [exim] Something like "domains_require_tls"

2023-03-23 Thread Jeremy Harris via Exim-users
On 23/03/2023 15:30, Olaf Hopp (SCC) via Exim-users wrote: router_A: domains: +domainlist-with-TLS-Domains transport: tlssmtp router_B: domains: * transport: smtp tlssmtp: hosts_require_tls = * driver = smtp smtp: driver smtp in reality two routers and

[exim] Something like "domains_require_tls"

2023-03-23 Thread Olaf Hopp (SCC) via Exim-users
Hi, for legal reasons I have a list of domains, where I *must* send via TLS Currently, I have two routers and transports: router_A: domains: +domainlist-with-TLS-Domains transport: tlssmtp router_B: domains: * transport: smtp tlssmtp: hosts_require_tls =