Author: Phil Pennock Date: To: Jeremy Harris CC: exim users, exim-dev Subject: Re: [exim] [exim-dev] [Bug 2018] proxy protocol is not supported on
smtps (direct SSL/TLS) connections
On 2017-01-18 at 16:06 +0000, Jeremy Harris wrote: > To expand: Exim's implementation of Proxy Protocol
> is currently hooked in after the TLS start done for
> tls-on-connect.
>
> It turns out that the protocol spec document is ambiguous
> and the other way about (proxy-protocol handling done
> in-clear, then TLS) is the preferred way for HAproxy.
>
> Is anyone using and relying on the current Exim implementation
> ordering? Or shall I just swap them round?
I think that Jeremy knows my opinion here, but so that others know what
is likely to happen if nobody speaks up:
I strongly favour swapping them around, putting a note in
README.UPDATING and avoiding adding yet another knob.
So if you are relying upon something which speaks Proxy Protocol
initiating its _own_ TLS connection to an Exim TLS-on-connect backend,
_then_ speaking PP within that, _before_ passing off to hand-off from
the origin client, then you need to speak up with some details so that
we can understand and weigh the cost of the added complexity, and make
sure that we can then handle it without ending up with TLS tunnelled
inside TLS.
