Re: [exim] tls_certificate weirdness

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] tls_certificate weirdness
On 23/08/16 20:03, Phillip Carroll wrote:
> Although, because of
> fallback to unencrypted mode, I admit I can't say for certain that it
> "works" in the sense of all traffic being encrypted in both directions.


For incoming, use an "encrypted = *" ACL condition.
For outgoing, use a "hosts_require_tls = *" option on all relevant smtp
transports.


If you're interested in observing peer certificates, look into Exim's
Events extension and the certificate-related string expansions. You'll
be amazed how many certs presented are non-verifiable. IMHO, after
just getting people to make encryption available, cert verifiability
will be the next Big Problem.
--
Cheers,
Jeremy