Re: [exim] Not advertising STARTTLS

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: anw-dist
CC: exim-users
Subject: Re: [exim] Not advertising STARTTLS
On 2010-09-20 at 22:22 -0400, Allen Williams wrote:
> So, thank you so much. This experimentation showed exim4, whether I
> telnet locally or remotely on either port 25 or 125 (well, I can't do it
> remotely on 125), is behaving correctly. For some reason, when ASSP is
> in the chain, it doesn't advertise correctly. What I need to do is find
> out why ASSP isn't "transparent", or why exim4 would advertise
> differently through ASSP. If you know anything about ASSP, any hints
> would be welcome, but now it's clear the problem is not Exim. If I get
> a solution, I'll email this list for future reference.


ASSP is a man-in-the-middle proxy. It has to disable STARTTLS because
otherwise TLS will do its job properly, the client and Exim will
negotiate a secure session and ASSP won't be able to do anything except
either (1) drop the connection (either directly or through bad packet
injection) or (2) pass on packets without inspection.

I see from http://assp.sourceforge.net/ that ASSP 1.7.1.3 supports
man-in-the-middle of some kind.

Ultimately, you need your proxy to be the one with access to the private
key so that the TLS session from the client is terminated by the proxy.

If you find that there's some feature that Exim can provide to make this
easier (eg, accepting session identification data from the proxy for
Exim's own logs) let us know.

Regards,
-Phil