On 15/03/2019 13:16, Alice Wonder via Exim-users wrote:
> use a default
> policy of encrypt so that cleartext is never used (e.g. doctors office
> where you don't want passive snooping to be able to extract private
> medical information about a patient), and under a default policy of
> encrypt, it then has to be told to use DANE instead for domains that
> support DANE. Not sure if Exim dane support works the same way.
A transport with hosts-require-tls and hosts-try-dane both set,
used by a router picking out those domains
>
> Also domains without DANE sometines use MTA-STS and STARTTLS Everywhere
> policies to let an MTA know that they should require validated TLS
> rather than opportunistic TLS.
https://github.com/Exim/exim/wiki/starttls-everywhere will be
of interest.
> It appears that there is little interest in MTA-STS capabilities being
> built-in to Exim
Indeed. I gave up on internal support once using https became involved.
That doesn't mean someone else couldn't expend the development effort.
--
Cheers,
Jeremy
