On Sat, Oct 30, 2021 at 02:56:40AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
>
> > > Is it really true that for lack of valid certificate there's a way to
> > > get Exim to fall back to cleartext instead???
> >
> > If a host is in tls_verify_hosts and hosts_try_tls but not in
> > hosts_require_tls exim will fall back to cleartext. (That is for the
> > non-DANE case.)
>
> This seems like a footgun combination of configuration options. [...]
How Exim is doing TLS fallback is described here:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTclientTLS
As I understand, peer's certificate validation failure is one variant of
general TLS negotiation failure, resulting in fallback to plain text if
tls_tempfail_tryclear option of SMTP transport is "true" (default).
--
Eugene Berdnikov
