Re: [exim] helo leak in tls_verify_hosts , forcing clients t…

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: thomas schorpp
CC: exim-users
Subject: Re: [exim] helo leak in tls_verify_hosts , forcing clients to use ehlo ,configuration?
On Tue, 14 Jun 2005, thomas schorpp wrote:
>
> tls_verif_hosts = * does NOT work for helo connections in ...4.51. only
> for ehlo.


A client that says HELO instead of EHLO cannot use TLS (TLS requires
extended SMTP which requires the client to say EHLO) and therefore the
client cannot offer a certificate. If you reject non-encrypted clients
(using require encrypted = * in your ACLs) then this will automatically
deal with the HELO clients, and the tls_verify_hosts setting will deal
with the requirement for a certificate.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}