[exim-dev] [hs@schlittermann.de: Re: DANE]

Pàgina inicial
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
A: exim-dev
Assumpte: [exim-dev] [hs@schlittermann.de: Re: DANE]
Hi,

since there is currently a lot work done with respect to tls
information, I'd like to bring the following into discussion again.

What do you think about it?

(Viktors opinion was, that we shouldn't leave the decision about
aborting/continuing of the TLS session to the user, but I think, giving
providing this option is more in the spirit of exim.)

----- Forwarded message from Heiko Schlittermann <hs@???> -----

Date: Thu, 3 Apr 2014 23:27:20 +0200
From: Heiko Schlittermann <hs@???>
To: Phil Pennock <pdp@???>
Cc: Viktor Dukhovni <viktor@???>, Todd Lyons <tlyons@???>
Subject: Re: DANE

Phil Pennock <pdp@???> (Do 03 Apr 2014 21:23:27 CEST):
> On 2014-04-03 at 15:46 +0000, Viktor Dukhovni wrote:
> > Don't know about TLS authentication in Exim, can one specify per
> > destination-domain peer names, fingerprints, trust anchors, ...
>
> Exim's client TLS verification, if enabled, is for certificate
> validation but not hostname validation. That would need to be added.
> You can specify trust anchors, yes.


What about an smtp transport option *about* like this

    tls_continue = …        


+------------+---------+--------------+-------------+
|tls_continue|Use: smtp|Type: boolean*|Default: true|
+------------+---------+--------------+-------------+

This option gets expanded right after the basic negotiation, before
starting the "real session".

    <- 250 ESMTP
    -> EHLO …
    <- …
    -> STARTTLS
    <- 220 TLS 
     …
    [ condition = false ]   [ condition = true ]
    ~> QUIT                 ~> MAIL FROM: …


This option could be used to do useful things with the certificate
information we have (e.g. match the $hostname with the DN)

--
Heiko

----- End forwarded message -----