Dňa 10. decembra 2022 17:01:52 UTC používateľ Jeremy Harris via Exim-users <exim-users@???> napísal:
>Yes, for SNI it have to be after the first bit of the TLS startup
>exchange.
Now i am confused. I read that commit (docs changes), but it
is not clear for me, will have $tls_in_* variables values in
connect ACL? I guess that no, but if so, please can you mention
that somewhere?
I am using the SNI variable in connect ACL, to filter rogue
connections eg. with my MX name or no SNI at all (465). They
are not often, but happens and when SNI will be not set, all
my clients will be filled to firewall...
Also, you previously mention using not valid certificate for wrong
SNI name to get TLS failed (or so). It is not clear for me if you mean
certificate with not valid name or file which is not certificate (eg.
/dev/null). IMO bruteforcers doesn't care about valid certificate,
thus using not valid certificate will confuse only legitime clients.
When i did mistake in cert/key lookup expansion some time, exim
log it loudly (but it was nonexistent file)... If i rember properly, docs
exatly mentions to use "default" certificate/key for no/invalid SNI...
Please, can you elaborate more what you mean by that? + some
example if appropriate.
>> When i recently tried to use "encrypted=" ACL condition in helo ACL
>> i got error, thus while fully equivalent, they are not interchangable
>> in all related ACLs and it was not documented.
>Details on that, please?
With exim 4.94.2 i can use "encrypted=" ACL condition in connect ACL,
but not in helo ACL, tested with -bh:
>>> using ACL "acl_check_helo"
>>> processing "warn" (/var/lib/exim4/config.autogenerated 1065)
>>> check !encrypted = *
>>> warn: condition test error in ACL "acl_check_helo"
Result is 451 (Temporary local problem - please try later) with log:
LOG: ... temporarily rejected EHLO or HELO ...:
cannot test encrypted condition in EHLO or HELO ACL
regards
--
Slavko
https://www.slavino.sk/
