Re: [Exim] host_certs_accept_relay ?

Góra strony
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
Dla: Matthew Byng-Maddick
CC: exim-users
Temat: Re: [Exim] host_certs_accept_relay ?
On Wed, 10 Oct 2001, Matthew Byng-Maddick wrote:

> Will exim4 fix the problem of systems that try and do STARTTLS if they see
> it in the EHLO extras list, that they try and set up a secure connection,
> and don't present a certificate, such that the setup fails, but the normal
> SMTP dialogue can't be resumed causing the message to suffer a temporary
> error.


If the setting up of an enrypted session fails, there isn't much you can
do because the session is an unknown state.

> Ie, will exim4 actually say, ok. you have a secure connection, but
> I don't actually know anything about you, so you can't do the relay bit of
> the SMTP ACL?


Yes.

Exim 4 does indeed solve this problem (as a server). It can be
configured with "ask the client for a certificate, but if the client
doesn't provide a certificate, or if the certificate doesn't match what
you expect, still carry on with the encrypted session". You can then
test for this state of affairs in the ACL.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.