[exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients
https://bugs.exim.org/show_bug.cgi?id=2265

--- Comment #4 from Phil Pennock <pdp@???> ---
(Patch is reversed.)

The issue I see is that we don't switch transports based upon DANE or not, or
have a way to skip a router if DANE fails (since that's something for later, at
SMTP time, when checking hosts). So there's no (sane?) way to have a config
which has tls_sni set to something based on "possible expansion lookup" and
still have the option be unset for the DANE scenario.

I see two approaches here:
1.
a. Allow for forced-fail expansion and empty expansion, to mean defaults too
b. Add a new expansion variable, $dane_active or somesuch (since
$tls_out_dane is set much later, I think?)
2. Say "DANE always uses the SNI set per DANE specs" and force-override,
always.

IMO 2 is simpler and easier. (Sorry that I haven't gotten to this myself)

My assumption is that people who care about SMTP security will have manual
overrides for a bunch of domains, as I do, but want DANE to provide automatic
improved security when available.

--
You are receiving this mail because:
You are on the CC list for the bug.