[exim-dev] [Bug 2594] CNAME handling can break TLS certifica…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: admin
Date:  
À: exim-dev
Anciens-sujets: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification
Sujet: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
https://bugs.exim.org/show_bug.cgi?id=2594

--- Comment #6 from Chris Paulson-Ellis <chris@???> ---
(In reply to Phil Pennock from comment #5)
> In the original bug-report here:
>
> """
> Cert hostname to check: "mail.edesix.local"
> Setting TLS SNI "mail.dev.edesix.com"
> """
>
> That is clearly an unfortunate combination. The first should use the same
> value as the second.


Interesting info about DANE.

For information - the TLS SNI value comes directly from my configuration. I
didn't set it deliberately, but in the default config, smarthost_smtp has
tls_sni = ROUTER_SMARTHOST, the macro also used in the smarthost route_data. So
in my config they are the same.

I accept that my DNS set-up is not all that common in the context of SMTP. Not
least because if it was MX driven, then CNAMEs would not work. It's only
because it's a smart host and therefore a "normal" host name that this issue
arises.

Perhaps the default config smarthost router should have an option making the
CNAME behaviour configurable?

--
You are receiving this mail because:
You are on the CC list for the bug.