Re: [exim-dev] [hs@schlittermann.de: Re: DANE]

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-dev
Subject: Re: [exim-dev] [hs@schlittermann.de: Re: DANE]
Viktor Dukhovni <viktor1dane@???> (Do 08 Mai 2014 17:03:13 CEST):
> On Thu, May 08, 2014 at 04:43:41PM +0200, Heiko Schlittermann wrote:
>
> > since there is currently a lot work done with respect to tls
> > information, I'd like to bring the following into discussion again.
> >
> > What do you think about it?
> >
> > (Viktors opinion was, that we shouldn't leave the decision about
> > aborting/continuing of the TLS session to the user, but I think, giving
> > providing this option is more in the spirit of exim.)
>
> To be clear, I have no problem with giving users a configuration



> Exim SHOULD provide:
>     * User interface to require/enable/disable DANE TLS


> Exim SHOULD NOT require:
>     * Complex ${if ...} state-machines to perform hostname



I fully agree.
I'm thinking of something about that way (not sure, if I
got the ${acl{}} feature right…

    begin acl


        acl_check_dane:
            accept verify = dane
            deny



    begin transports


        remote_smtps:
            driver = smtp
            hosts_require_tls = *
            tls_continue = ${acl{acl_check_dane}}


This give the user the power to implement whatever he wants
as the condition.

--
Heiko