Re: [Exim] TLS wishlist

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Kai Risku
CC: exim-users
Subject: Re: [Exim] TLS wishlist
On Thu, 27 Nov 2003, Kai Risku wrote:

> I have defined the following router just before the standard
> dnslookup router:
>
>    secure_router:
>      driver = dnslookup
>      domains = ! +local_domains
>      condition =
> ${lookup{$domain}lsearch{/etc/exim/secure_domains}{yes} \
>            {${if match{$header_sensitivity:}{onfidential}
> {yes}{no}}}}
>      transport = secure_smtp
>      no_more

>
> As well as the corresponding transport:
>
>    secure_smtp:
>      driver = smtp
>      hosts_require_tls = *
>      tls_verify_certificates = /etc/exim/certs/
>      tls_certificate = /etc/exim/server.pem


Digression: Since the "transport" option is expanded, you could shorten
your configuration by just having an expansion in the normal dnslookup
router, instead of having two routers.

> 2003-11-27 15:44:33 1APMRW-0005ps-2v a TLS session is required for
> mail.iki.fi [212.16.100.1], but the server did not offer TLS support
>
> but that will not fail the delivery. Instead the delivery is
> simply deferred and the delivery is retried per normal retry
> rules (i.e. left in the mail queue until it bounces several
> days later).


> In my opinion, failure to obtain a TLS session
> for the delivery should bounce the message immediately, as
> I don't think the problem would go away by trying again later.


Well, I thought that if you actually set this up, you expect it to work,
so if it doesn't, you would probably want to fix the problem and let the
mail go through rather than bouncing it. Obviously, you think
differently... so an option is needed. I have put this on the Wish List.

> Is there any easy way to handle these kinds of errors and
> bouncing the message immediately? Or am I approaching this
> problem ass-backward somehow?


An alternative to a plain "bounce instead of defer" option would be to
make the error one that could be referenced from a retry item. Then you
could configure how long you want to retry - including zero.

The code for 4.30 has just been frozen, so this won't appear for some
time, because I won't be getting back to any development till February
at the earliest.

Philip

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book