On Sat, Oct 30, 2021 at 11:58:56AM +0200, Slavko via Exim-users wrote:
> > smtp_tls_security_level = none | may | encrypt | fingerprint | dane | secure
>
> I think, that ideal MTA must have option:
>
> guess_tls_verify = no | user | admin
>
> That "guess" part points to deciding what hosts are trusted and/or
> which are bad.
No. Rather than random ad-hoc policies, we implement and evolve
standards. Thus we have:
* Base opportunistic TLS: RFC3207
* DANE SMTP: RFC7672
* REQUIRETLS: RFC8689
* MTA-STS (sigh)
...
> I am happy, that exim is not ideal MTA and leaves this "guess" for
> admins to set it explicitly/manually in mentioned options, which has
> usable defaults.
Actually, Exim supports DANE, which (when enabled) honours published
TLSA records, rather than "guessing". And both Exim and Postfix support
different local policies by destination domains.
> Anyway, if Exim aborts outgoing connection at failed cert verification
> (or any other TLS error) in STARTTLS, it is (IMO) RFC violation
> (missing clean QUIT), but i do not know if it happens.
No, it is not an RFC violation to abort the handshake, and send a
suitable TLS alert message, but this tends to clutter remote server logs
with low-level error messages their administrator is likely to not
understand.
The main point is to not fall back to cleartext when there was a
perfectly good TLS handshake the MTA could simply choose to not
abort, because the cleartext fallback is definitely not better.
--
Viktor.
