Re: [Exim] TLS Problem

Top Page
Delete this message
Reply to this message
Author: Łukasz Grochal
Date:  
To: exim-users
Subject: Re: [Exim] TLS Problem
Matthew Byng-Maddick <exim@???> writes:

> After all, the encryption gets you precisely nowhere and is more
> expensive in terms of resources.


Well, that sounds much like saying 'HTTPS gets you nowwhere'. And
that's true - partially. As long as you can't authenticate your party,
you're vulnerable to blackhats attempting to impersonate them. But
still, you get your data channel encrypted, which makes it harder for
those with sniffers/carnivores/whatever to scan your mail for keywords
and then perhaps dig in deeper if they find something interesting.

Not much for security here, agreed - it's rather a matter of privacy.
Anyways - I hope this makes my point of view clear.

> Server, setup as a relay, but only for machines that have a valid client
> cert and do a TLS connection. For some reason, it can't currently get at
> its certificates, (perhaps they're on an encrypted filesystem or some
> such). Temporary error ensues, because the state of the connection is
> undefined, so you have to abandon it completely. I try again, without
> TLS this time, but the mailserver is configured to bounce all non-TLS
> mail with a ``550 Relaying denied'' message. Thus you've just escalated
> a temporary error (which should defer and retry) to a permanent one. I
> think this is *bad* default behaviour.


Great, OK. That means the host in question MUST NOT be a public MX for
the domain. I hope that's clear and I won't elaborate on that issue.

So now we actually have two scenarios, both involving use some policy
based mail routing that bypases normal lookuphost/ipliteral routers:

1) The host in question is your smarthost and you route all your mail
through them. You just setup a special router and switch the proposed
option off for it along with setting up proper client certificates and
stuff.
2) There is some weird setup where some mail goes to some special purpose,
top secret, members only relay host while all other mail is routed
normally. But knowing that this special host cannot be listed as
an MX for the domain, you must arrange a special router that handles
mail for them. And you can turn the option off for it.

> I think it's a crazy piece of functionality to have.


Good. Still, it's one that won't hurt. If left disabled, it wouldn't
influence Exim's functionality in any ways. When enabled, in most
common real-world setup with lookuphost and iprouter it can't do you
any harm either. And being able to turn it off for any other routers
you might have to write, you're safe.

BTW - what do you think about so-called opportunistic encryption in
IPSec? When you find a key available for some host, do you write their
administrators asking for permission to use IPSec when communicating
with them or do you just use it?

Regards,

--
(-) Łukasz Grochal                                  lukie@???
                                                  (for PGP key visit:)
_____________________________________________ http://www.rotfl.eu.org/ __
... all in all it's just another rule in the firewall.       /Ping Flood/