On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
>
> If a host is in tls_verify_hosts and hosts_try_tls but not in
> hosts_require_tls exim will fall back to cleartext.
The Debian-11/Devuan-4 defaults for "SMARTHOST for outgoing main,
fetchmail for incoming mail" are what caused this:
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif
.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.endif
.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
No idea to what values of the upper case variables are in the
first place. Are they defined at compile time; is there a way to
look them up, other than from the Debian src package?
> @original submitter:
> * Use a certiticate that verifyable without client-side changes., e.g. setup
> DANE on the server and/or use e.g. a letsencrypt cert.
It's not my server, but the colleague says it supports DANE. I
may look into that later.
> * Give client-side exim a way to verify the cert by adding the cert to
> the trusted list.
Thanks. That works.
> * Modify the tls_verify_hosts setting.
There's no such setting in /var/lib/exim4/config.autogenerated.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
