On Sat, Oct 30, 2021 at 02:09:21PM +0200, Slavko via Exim-users wrote:
> It is useless to use TLS for moving messages eg. between LXC hosts (not
> VPS) or for delegating delivery to other MDA, when it stays on the same
> machine. If someone can gain root access to inspect/intercept them,
> then it can get keys to decrypt them too or even do more harm...
Nobody is proposing that TLS policy be inflexibly uniform for all
destinations. My observation is merely that the options to choose
from should as much as possible make sense. If it is too easy to
to accidentally configure footgun behaviour, then the design could
be reconsidered.
My suggestion would be that if someone configures mandatory verification
to some destination, then cleartext fallback should not happen. Only
"try" verification should support optional cleartext fallback.
> I agree, that more options leads to more mistakes, but on the other
> side, more options allows to more customization and are not forcing
> some behavior for all.
I am not arguing for fewer options, I'm arguing for a rational UI
to the available behaviours that does not expose inexperienced
users to footgun choices.
--
Viktor.