On 08/05/14 15:45, Heiko Schlittermann wrote:
> What about an smtp transport option *about* like this
>
> tls_continue = …
>
> +------------+---------+--------------+-------------+
> |tls_continue|Use: smtp|Type: boolean*|Default: true|
> +------------+---------+--------------+-------------+
>
> This option gets expanded right after the basic negotiation, before
> starting the "real session".
>
> <- 250 ESMTP
> -> EHLO …
> <- …
> -> STARTTLS
> <- 220 TLS
> …
> [ condition = false ] [ condition = true ]
> ~> QUIT ~> MAIL FROM: …
>
> This option could be used to do useful things with the certificate
> information we have (e.g. match the $hostname with the DN)
Oddly-enough I was musing earlier today about some form of callback
being made into exim.conf space for each layer of certificate in
a (CA-based) trust chain, during TLS connection startup.
Feels like we're playing in the same space.
Since a simple expansion can call a custom ACL, which might be
given visibility of that certificate, we can get as complex
as we want. It would be able to do the checking of
SN/SAN against the peer name (hmm. Which one? The MX?) if
we didn't get around to hardwiring that (and apparently if
we did hardwire it we'd need an exception for DANE... is that
true?)
It would also be able to trigger full-fat OCSP (not stapling)
lookups on the intermediate certificates, which was where I
started.
--
Cheers,
Jeremy