Re: [Exim] TLS Problem

Inizio della pagina
Delete this message
Reply to this message
Autore: Matthew Byng-Maddick
Data:  
To: exim-users
Oggetto: Re: [Exim] TLS Problem
On Sun, Dec 23, 2001 at 01:08:39AM +0100, Lukasz Grochal wrote:
> Philip Hazel <ph10@???> writes:
> > It depends on what you mean by "TLS session fails". If the server
> > rejects the "STARTTLS" command, Exim will attempt to send the message
> > unencrypted (in the absence of hosts_require_tls). However, if STARTTLS
> > is accepted, but there is a problem in setting up the session (which
> > will happen if the certificate doesn't match, but can also be caused by
> > other problems), Exim gives up, because the state of the SMTP connection
> > is undefined. (The server end doesn't know what the state is either.)
> There are numbers of broken MTA's (mostly Lotus Notes/Dominos,
> sometimes others) all over the Internet that close connection right
> after the STARTTLS (mostly because their clueless admins didn't care
> to generate certificates). When Exim talks to such hosts, it gives up
> and retries later (and eventually gives up, as those servers are just
> broken all right).


What I want to know at this point, is why you're trying to talk to mail
servers with encryption, if you have no prior agreement with them?
After all, the encryption gets you precisely nowhere and is more
expensive in terms of resources. You claim people who can't set up
encryption are clueless, I'll join you in that, but I'll also claim as
clueless someone who tries to do STARTTLS to a mail server where they
have no good reason to.

> As far as I can tell, the only way to deliver mail to such servers from
> a TLS-enabled Exim is to use hosts_avoid_tls option. That unfortunately


My exim is not configured to try and do TLS wherever it's advertised.

> requires constant maintenance of config file and is quite a PITA for
> users who send mail to such sites and have it returned back undelivered
> some time later (no, they're users - they don't read DSN messages ;)


"Doctor, it hurts when I do this..."

> It would be nice and helpful if Exim - after the session broke right
> after STARTTLS or if STARTTLS gave a permanent error, started another
> delivery attempt, avoiding TLS at this time. Unless of course the host
> is in hosts_require_tls. Perhaps it could log a warning then too?


That, although nice in one respect, is also pretty horrid. I can think
of an obvious situation where that would break.

Server, setup as a relay, but only for machines that have a valid client
cert and do a TLS connection. For some reason, it can't currently get at
its certificates, (perhaps they're on an encrypted filesystem or some
such). Temporary error ensues, because the state of the connection is
undefined, so you have to abandon it completely. I try again, without
TLS this time, but the mailserver is configured to bounce all non-TLS
mail with a ``550 Relaying denied'' message. Thus you've just escalated
a temporary error (which should defer and retry) to a permanent one. I
think this is *bad* default behaviour.

> Is there any chance for such a functionality? In Exim 4 perhaps?


I think it's a crazy piece of functionality to have. After all, you're
the one at fault. In fact, I'd go as far as to say that if you just
try and do encryption to any host that advertises STARTTLS in it's EHLO
banner, that you haven't agreed with out-of-band, then you deserve to
lose. Think of the above mail setup again, and think what happens if
you don't present a client-certificate that I actually care about...
...the connection is in an undefined state, and you've caused a
temporary error that you won't recover from. I'd claim, that in this
situation, *YOU* are definitely the clueless one.

MBM

--
Matthew Byng-Maddick         <mbm@???>           http://colondot.net/