Re: [exim] Certificate validation failed

Góra strony
Delete this message
Reply to this message
Autor: Evgeniy Berdnikov
Data:  
Dla: exim-users
Temat: Re: [exim] Certificate validation failed
On Sat, Oct 30, 2021 at 02:56:40AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
>
> > > Is it really true that for lack of valid certificate there's a way to
> > > get Exim to fall back to cleartext instead???
> >
> > If a host is in tls_verify_hosts and hosts_try_tls but not in
> > hosts_require_tls exim will fall back to cleartext. (That is for the
> > non-DANE case.)
>
> This seems like a footgun combination of configuration options. [...]


How Exim is doing TLS fallback is described here:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTclientTLS

As I understand, peer's certificate validation failure is one variant of
general TLS negotiation failure, resulting in fallback to plain text if
tls_tempfail_tryclear option of SMTP transport is "true" (default).
--
Eugene Berdnikov