[Exim] TLS options

Top Page
Delete this message
Reply to this message
Author: Jan Schreckenbach
Date:  
To: exim-users
Subject: [Exim] TLS options
Hi,

I just playing with the new TLS stuff and I have a problem.

Let me tell you my configuration. I have three kinds of networks.
Every host in LNET may use my server as outgoing relay without
authentication and encryption via TLS. So I set 
host_accept_relay      = LNET


Every host in ANET may use my server as outgoing relay after
successfully authentication with user + password. I dont wont any
client to send the password via an unencryted connection, so I set
host_auth_accept_relay = ANET
auth_always_advertise  = false
auth_over_tls_hosts    = ANET


Every host in CNET may use my server as outgoing relay if the
client gives me a valid client certificate. So I set
tls_advertise_hosts    = *
tls_hosts              = 
tls_verify_hosts       = CNET


Unfortunately in my case is ANET == CNET, because on some of the
hosts are clients that can handle client certificates and on some
not.

What I need is a somewhat different behavior:
1. If a host is in tls_verify_hosts but gives _no_ client certificate
it should be treaten as if this host were not in tls_verify_hosts,
e.g.
if the client sucessfully authenticated everything is OK.
(some kind of fallback-to-the-old-way stuff).
2. If the client certificate is wrong the client should be rejected.
3. If the client doesn't authenticate or user+password combination
is wrong, ask the client for a client certificate. If the certificate
is OK trust the client and do relay (Netscape always ask for username
and password if the server advertised AUTH, but I don't want to setup
a user for everyone).

Even this is not possible yet, it could be implemented in future
versions.

cu,
Jan

--
_______________________________________________________________________

THE BEST RUN E-BUSINESSES RUN mySAP.com
_______________________________________________________________________

Jan Schreckenbach                      email: Jan.Schreckenbach@???
SAP AG Walldorf/Baden, Germany         Phone: +49 6227  7-47474
LinuxLab                               Fax  : +49 6227 78-31414


SAP LinuxLab support address: linux@???