On 2012-06-02 08:16, Phil Pennock wrote:
>> On the other hand the secondary feature
>> (use of TLS by verify-callouts) *will* activate automatically.
>
> Please not unless specifically requested: TLS is quite heavy and that
> adds to the verify burden. Can you make this something that has to be
> enabled, either by "verify_tls" on the transports, or a flag on the
> ACL control modifier?
OK, I'll add a switch, defaulting "off".
Because of the interaction between "pure" verify callouts and
cutthrough deliveries neither the new control= nor the
verify= really feels like the right place. I'll put it on the transport
for now; can always move it later.
> Did this help at all? Would it help if I did something similar for
> OpenSSL? We're 1/4 of the way there already, with the "callback" data
> structure used for SNI.
Keeping up with you has been a major effort :)
There may be some tidying needed after I merge.
>
> I favour $tls_in_* and $tls_out_* and keep the existing names, resetting
> as appropriate. Mark the existing names deprecated and state that we're
> likely to remove them in, say, Exim 5.
OK.
--
Jeremy
