Exim 4.60, most stuff going to smarthost but some stuff going out
directly to MX, based on existence of a flag-file for the domain. I
just added another flag-file for a friend's system and was surprised to
see TLS used.
Whether or not it's a good idea, I do actually disable the automatic use
of TLS for sending to remote systems; or at least, I thought I did. (I
build with TLS to support client submission.)
remote_smtp:
driver = smtp
.ifdef SUPPORT_TLS
hosts_avoid_tls = *
.endif
The log-line confirms that this was the transport used. The remote host
does advertise STARTTLS. "exim -d+all recipient@???" confirms
that (IP address changed):
01:53:33 13440 250-SIZE 52428800
01:53:33 13440 250-PIPELINING
01:53:33 13440 250-STARTTLS
01:53:33 13440 250 HELP
01:53:33 13440 192.0.2.42 in hosts_avoid_tls? no (option unset)
01:53:33 13440 SMTP>> STARTTLS
Is there a way to find out which macros are defined at run-time? The
very fact that TLS is available should have meant that SUPPORT_TLS was
defined, surely? I've checked the OS's package build system and it's
definitely defining SUPPORT_TLS=yes in the Local/Makefile.
I could've sworn that this used to work ... any ideas? Anything obvious
that I'm missing?
Separately, do people these days automatically use TLS for connecting to
arbitrary sites where they don't have client certificates to offer?
ISTR various problems with breakage where remote sites either insisted
on a certificate, or else if the certificate was not signed by a
recognised CA would reject the connection. Ideally the public interface
of an MTA wouldn't insist on verification since that would act to
encourage a closed market in CAs (the most widely deployed being the
only ones practical to use) but I suspect that reality doesn't match
this ideal. Is tls_tempfail_tryclear for the public 'net sufficient for
the real world?
Thanks,
-Phil
