Re: [exim] Certificate validation failed

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Certificate validation failed
On Sat, Oct 30, 2021 at 11:58:56AM +0200, Slavko via Exim-users wrote:

> >     smtp_tls_security_level = none | may | encrypt | fingerprint | dane | secure

>
> I think, that ideal MTA must have option:
>
>     guess_tls_verify = no | user | admin

>
> That "guess" part points to deciding what hosts are trusted and/or
> which are bad.


No. Rather than random ad-hoc policies, we implement and evolve
standards. Thus we have:

    * Base opportunistic TLS: RFC3207
    * DANE SMTP: RFC7672
    * REQUIRETLS: RFC8689
    * MTA-STS (sigh)
    ...


> I am happy, that exim is not ideal MTA and leaves this "guess" for
> admins to set it explicitly/manually in mentioned options, which has
> usable defaults.


Actually, Exim supports DANE, which (when enabled) honours published
TLSA records, rather than "guessing". And both Exim and Postfix support
different local policies by destination domains.

> Anyway, if Exim aborts outgoing connection at failed cert verification
> (or any other TLS error) in STARTTLS, it is (IMO) RFC violation
> (missing clean QUIT), but i do not know if it happens.


No, it is not an RFC violation to abort the handshake, and send a
suitable TLS alert message, but this tends to clutter remote server logs
with low-level error messages their administrator is likely to not
understand.

The main point is to not fall back to cleartext when there was a
perfectly good TLS handshake the MTA could simply choose to not
abort, because the cleartext fallback is definitely not better.

-- 
    Viktor.