[exim] helo leak in tls_verify_hosts , forcing clients to u…

Top Page
Delete this message
Reply to this message
Author: thomas schorpp
Date:  
To: exim-users
Subject: [exim] helo leak in tls_verify_hosts , forcing clients to use ehlo , configuration?
hello.

i want all clients to have verifiable certs and use tls.

tls_verif_hosts = * does NOT work for helo connections in ...4.51. only
for ehlo.

so i block otherwise with acl.

xxxxxxxxxxxxxxxxxxxxxxxxxxx
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl


# dont accept without certificate cv
acl_certhelo_deny:
deny
    message = Your certificate issuer is no valid root CA or no encrypted
connection, get one for free from www.cacert.org
    !verify = certificate
    !encrypted = *


accept
xxxxxxxxxxxxxxxxxxxxxxxxxx

although this works it is not recommended, cause clients will not retry
with ehlo then and report the message to users as rejected.

better not advertise helo at all.

question: what configuration do you suggest to force clients to ehlo?

is it possible at all without changing exim in program code?

could the desired client behaviour triggered by the appr. error message?
which?

thx,
y
tom