[exim-dev] [Bug 511] New: tls_verify_hosts does not require …

Top Page
Delete this message
Reply to this message
Author: bug511
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 511] New: tls_verify_hosts does not require TLS
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

http://www.exim.org/bugzilla/show_bug.cgi?id=511

           Summary: tls_verify_hosts does not require TLS
           Product: Exim
           Version: 4.67
          Platform: Other
               URL: http://bugs.debian.org/422419
        OS/Version: Linux
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Documentation
        AssignedTo: ph10@???
        ReportedBy: mh+exim-bugzilla@???
         QAContact: exim-dev@???



Hi,

this issue is from the Debian BTS, issue #42219:
It should be clarified in the documentation that tls_verify_hosts only
applies to TLS sessions. That is, if a sending host matched in
tls_verify_hosts does not attempt to use TLS, it can still send messages
unencrypted.

The issue report also has text for docs improvement:
tls_verify_hosts        Use: main       Type: host list†        Default:
unset


This option, along with tls_try_verify_hosts, controls the checking of
certificates from clients. The expected certificates are defined by
tls_verify_certificates, which must be set. A configuration error occurs if
either tls_verify_hosts or tls_try_verify_hosts is set and
tls_verify_certificates is not set.

Any client that matches tls_verify_hosts is constrained by
tls_verify_certificates. The client must present one of the listed
certificates. If it does not, the connection is aborted.
++Listing a host in tls_verify_hosts does not directly require the host
++to actually use TLS. It can still send SMTP commands through
++unencrypted connections. Enforcing TLS for a host needs to be done
++separately using ACLs.

A weaker form of checking is provided by tls_try_verify_hosts. If a client
matches this option (but not tls_verify_hosts), Exim requests a certificate and
checks it against tls_verify_certificates, but does not abort the connection if
there is no certificate or if it does not match. This state can be detected in
an ACL, which makes it possible to implement policies such as “accept for
relay
only if a verified certificate has been received, but accept for local delivery
if encrypted, even without a verified certificate”.

Client hosts that match neither of these lists are not asked to present
certificates.

Exim allows to enforce TLS encryption and to enforce
certificate verification for tls-protected connections, it is easy to
put both together. I guess this is usually done automatically, by both
requiring SMTP AUTH and only advertising SMTP AUTH on TLS pretected
connections.

######################################
hostlist youmustusedverifiedtls = blah.example.com : foo.example.com

tls_verify_hosts = +youmustusedverifiedtls
[...]

begin acl
acl_check_mail:
        deny
                message = No TLS encryption used
                hosts = +youmustusedverifiedtls
                condition = ${if eq{$tls_cipher}{}{yes}{no}}
######################################


The condition could probably also be wetten as ! encrypted = *

Please feel free to take any of these suggestions for the exim docs.

--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email