Auteur: Alice Wonder Datum: Aan: exim-users Onderwerp: Re: [exim] equivalent of postfix policy map?
On 3/14/19 8:55 PM, Jasen Betts via Exim-users wrote: > On 2019-03-14, Alice Wonder via Exim-users <exim-users@???> wrote:
>> I'm looking through the manual trying to find the equivalent of a
>> postfix policy map file for outgoing domains where I can define one
>> domain should require TLS 1.2 with high quality ciphers and PKIX
>> validation while another domain only requires TLS 1.0 with medium
>> quality ciphers and no validation of the X509 cert, etc.
>
> exim has fewer predefined features than postfix, using instead its
> string expansion programming language where special cases need to be
> handled.
>
> Exim provides transport options like tls_require_ciphers it's up to
> you as admin to pick a static value or use some sort of string expansion
> - pehaps do a file or (NO)SQL database lookup, or run an external utility) to
> get the correct values for each parameter of each connection.
My project uses a MariaDB database to keep track of appropriate security
policies. But it doesn't need to be on the same host as the MTA relay.
It's then relatively simple to generate a Postfix policy map by querying
that database and distribute that policy map to all MTA clients on the
network that connect to MX hosts without each relay needing to connect
to the database.
That's what I am hoping to do with Exim too.
>
>> This is for a project that uses one host (that may or may not be on the
>> mail server) to monitor mailbox domains and detect what domains should
>> use policies more restrictive than opportunistic TLS.
>
> Exim already understands DANE
Yes, so does postfix - and with postfix I filter the dane generated
policies when it is configured to discover dane by default already.
But with postfix, under some scenarios it is necessary to use a default
policy of encrypt so that cleartext is never used (e.g. doctors office
where you don't want passive snooping to be able to extract private
medical information about a patient), and under a default policy of
encrypt, it then has to be told to use DANE instead for domains that
support DANE. Not sure if Exim dane support works the same way.
Also domains without DANE sometines use MTA-STS and STARTTLS Everywhere
policies to let an MTA know that they should require validated TLS
rather than opportunistic TLS.
Would be nice if everyone used DANE but many do not.
It appears that there is little interest in MTA-STS capabilities being
built-in to Exim, but they don't need to be if the policies can be
discovered by an external program and translated into directives that
tell Exim to require PKIX validation for those domains.
>
>> I really want it to work with Exim as well as postfix, but I am having
>> trouble finding what chapter in the Exim manual covers where and how
>> such policies are defined.
>
> CH30 "The SMTP Transport"
> CH42 "Encrypted SMTP"
> CH11 "String Expansions"
> CH9 "File and database lookups"
>
>
> Also:
>
> Ch3 "How Exim receives and delivers mail"
>
> Is probably the most important chapter, it explains the life-cycle of
> an email and how the several parts of an exim mail system interact.
> Re-reading it can often provide inspiration when a task seems impossible.
>
>
> The command-line '/usr/sbin/exim -be' will allow easy experimentation with
> string expansions.
>