[Exim] TLS wishlist

Top Page
Delete this message
Reply to this message
Author: Kai Risku
Date:  
To: exim-users
Subject: [Exim] TLS wishlist
I've been trying to implement a more secure mail system,
by requiring the use of TLS when delivering to known domains.

Otherwise the setup seems to work nice, but the way Exim 4.24
handles certain TLS-related errors, seems to leave room for
certain improvements.

I have defined the following router just before the standard
dnslookup router:

    secure_router:
      driver = dnslookup
      domains = ! +local_domains
      condition =
${lookup{$domain}lsearch{/etc/exim/secure_domains}{yes} \
                    {${if match{$header_sensitivity:}{onfidential}
{yes}{no}}}}
      transport = secure_smtp
      no_more


As well as the corresponding transport:

    secure_smtp:
      driver = smtp
      hosts_require_tls = *
      tls_verify_certificates = /etc/exim/certs/
      tls_certificate = /etc/exim/server.pem




As you can see from the condition in the router, I am also
experimenting with forcing a secure delivery if the email is
marked as confidential.

One particular problem arises if the remote server does not
support TLS, which results in Exim logging the following:

2003-11-27 15:44:33 1APMRW-0005ps-2v a TLS session is required for
mail.iki.fi [212.16.100.1], but the server did not offer TLS support

but that will not fail the delivery. Instead the delivery is
simply deferred and the delivery is retried per normal retry
rules (i.e. left in the mail queue until it bounces several
days later). In my opinion, failure to obtain a TLS session
for the delivery should bounce the message immediately, as
I don't think the problem would go away by trying again later.

Is there any easy way to handle these kinds of errors and
bouncing the message immediately? Or am I approaching this
problem ass-backward somehow?

(I have an ugly workaround with an additional router that
triggers on messages that are older than ten minutes and
matching the same conditions as the secure_router, whereby
the address is rewritten to a :fail:, but there *has* to
be better way to do it!)

--
Kai.Risku@???     GSM  +358-40-767 8282
Oy Arrak Software Ab   http://www.arrak.fi