Re: Re: [exim] helo leak in tls_verify_hosts , forcing clien…

Top Page
Delete this message
Reply to this message
Author: thomas schorpp
Date:  
To: exim-users
Subject: Re: Re: [exim] helo leak in tls_verify_hosts , forcing clients to use ehlo ,configuration?
hello,

Tony Finch wrote:
> On Tue, 14 Jun 2005, thomas schorpp wrote:
>
>>tls_verif_hosts = * does NOT work for helo connections in ...4.51. only
>>for ehlo.
>
>
> A client that says HELO instead of EHLO cannot use TLS (TLS requires
> extended SMTP which requires the client to say EHLO) and therefore the
> client cannot offer a certificate.


i know. so the clients defaulting to smtp must be brought to retry with
esmtp somehow.

> If you reject non-encrypted clients
> (using require encrypted = * in your ACLs) then this will automatically
> deal with the HELO clients, and the tls_verify_hosts setting will deal
> with the requirement for a certificate.
>
> Tony.


gmx germany wont:
2005-06-14 17:51:23 H=mail.gmx.de (mail.gmx.net) [213.165.64.20]
rejected MAIL <t.schorpp@???>:

Connected_to_83.129.172.101_but_sender_was_rejected./Remote_host_said:_550-

tls_on_connect_ports = 465

daemon_smtp_ports = smtp : 465

acl_not_smtp = acl_certhelo_deny
acl_smtp_mail = acl_certhelo_deny
acl_smtp_predata = acl_certhelo_deny
acl_smtp_mailauth = acl_certhelo_deny

...

as i know only exim is trying tls first.. bad.

better ideas?

i look for a 5xx message now which may trigger the clients...

y
tom