On Wed, 10 Oct 2001, Matthew Byng-Maddick wrote:
> Will exim4 fix the problem of systems that try and do STARTTLS if they see
> it in the EHLO extras list, that they try and set up a secure connection,
> and don't present a certificate, such that the setup fails, but the normal
> SMTP dialogue can't be resumed causing the message to suffer a temporary
> error.
If the setting up of an enrypted session fails, there isn't much you can
do because the session is an unknown state.
> Ie, will exim4 actually say, ok. you have a secure connection, but
> I don't actually know anything about you, so you can't do the relay bit of
> the SMTP ACL?
Yes.
Exim 4 does indeed solve this problem (as a server). It can be
configured with "ask the client for a certificate, but if the client
doesn't provide a certificate, or if the certificate doesn't match what
you expect, still carry on with the encrypted session". You can then
test for this state of affairs in the ACL.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.