On 23/08/16 20:03, Phillip Carroll wrote: > Although, because of
> fallback to unencrypted mode, I admit I can't say for certain that it
> "works" in the sense of all traffic being encrypted in both directions.
For incoming, use an "encrypted = *" ACL condition.
For outgoing, use a "hosts_require_tls = *" option on all relevant smtp
transports.
If you're interested in observing peer certificates, look into Exim's
Events extension and the certificate-related string expansions. You'll
be amazed how many certs presented are non-verifiable. IMHO, after
just getting people to make encryption available, cert verifiability
will be the next Big Problem.
--
Cheers,
Jeremy