On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
> > Is it really true that for lack of valid certificate there's a way to
> > get Exim to fall back to cleartext instead???
>
> If a host is in tls_verify_hosts and hosts_try_tls but not in
> hosts_require_tls exim will fall back to cleartext. (That is for the
> non-DANE case.)
This seems like a footgun combination of configuration options. Either
tls_verify_hosts should be preëmpted by lack of a corresponding listing
in hosts_require_tls, or else with tls_verify_hosts, verification
failure should preëpt fallback to cleartext.
As it stands, enabling tls_verify_hosts can in may cases reduce, rather
than increase security.
In Postfix we like to shy away from combinatorial interations of
overlapping boolean settings, and strive to construct a single
multi-valued (non-boolean) setting that rationalises the available
options.
Thus:
smtp_tls_security_level = none | may | encrypt | fingerprint | dane | secure
If you want opportunistic TLS, you choose "may", and certificates are
not verified. If you want mandatory TLS, you choose "encrypt" or
better, and there's no cleartext fallback.
The one nit that's not been addressed yet is a policy for domains that
don't publish TLSA records. It isn't currently possible to do "dane"
else "encrypt". Need a dane-fallback level (default "may").
--
Viktor.
