Re: Re: [exim] helo leak in tls_verify_hosts , forcing clien…

Startseite
Diese Nachricht ist Teil des folgenden Threads:
MDer komplette Thread sortiert nach Datum
MTony Finch am <-
MTony Finch am ->
Nachricht löschen
Nachricht beantworten
Autor: thomas schorpp
Datum:  
To: exim-users
Betreff: Re: Re: [exim] helo leak in tls_verify_hosts , forcing clients to use ehlo ,configuration?
hello,

Tony Finch wrote:
> On Tue, 14 Jun 2005, thomas schorpp wrote:
>
>>tls_verif_hosts = * does NOT work for helo connections in ...4.51. only
>>for ehlo.
>
>
> A client that says HELO instead of EHLO cannot use TLS (TLS requires
> extended SMTP which requires the client to say EHLO) and therefore the
> client cannot offer a certificate.

i know. so the clients defaulting to smtp must be brought to retry with
esmtp somehow.

> If you reject non-encrypted clients
> (using require encrypted = * in your ACLs) then this will automatically
> deal with the HELO clients, and the tls_verify_hosts setting will deal
> with the requirement for a certificate.
>
> Tony.

gmx germany wont:
2005-06-14 17:51:23 H=mail.gmx.de (mail.gmx.net) [213.165.64.20]
rejected MAIL <t.schorpp@???>:

Connected_to_83.129.172.101_but_sender_was_rejected./Remote_host_said:_550-

tls_on_connect_ports = 465

daemon_smtp_ports = smtp : 465

acl_not_smtp = acl_certhelo_deny
acl_smtp_mail = acl_certhelo_deny
acl_smtp_predata = acl_certhelo_deny
acl_smtp_mailauth = acl_certhelo_deny

...

as i know only exim is trying tls first.. bad.

better ideas?

i look for a 5xx message now which may trigger the clients...

y
tom






Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-Re: [exim] helo leak in tls_verify_hosts , forcing clients to use ehlo ,configuration?Re: Re: [exim] helo leak in tls_verify_hosts , forcing clients to use ehlo ,configuration?->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)