Auteur: Phil Pennock Datum: Aan: Wolfgang Breyha CC: exim-users Onderwerp: Re: [exim] outgoing TLS - verifying certificates
On 2013-07-22 at 17:45 +0200, Wolfgang Breyha wrote: > I recently changed our configuration to verify SSL certificates.
>
> I recognized that this changed the behaviour of exim on outgoing connections.
> If verification fails he cancels the connection and sends it on a clear
> channel. The only way to avoid that is to set host_require_tls = *. But this
> means that there is no fallback then.
>
> I primarily activated verification to be able to log that part of information.
> But since I can't get the same behaviour as without verification I think I've
> to deactivate it again since I care more about encryption on the wire. Or is
> there something I missed in the documentation of the smtp transport?
Not that I know of; I wanted to do the same thing, a while back, haven't
fixed it yet. Really, want tls_try_verify_hosts for Exim-as-client, not
just Exim-as-server.
> In case I didn't, wouldn't it be practical to be able to encrypt even if
> verification fails on outgoing delivery?
Yes, especially since Exim is only validating the certificate chain, not
the claimed hostname.