The subject line caught my interest.
My mail domain is DNSSEC Signed and I have SSL/TLS Certificates (Let's
Encrypt - which I've automated) that cover it - and have implemented
TLSA records for my mail server a few years back. So if the recipient
SMTP server also happens to have a TLSA DNS record - I see no reason to
have a database record that includes it and would think the only
"Domains I must use TLS with" are domains that do not have a TLSA
record. This would reduce the size of your Database table - which one
day could be of Zero size. Wouldn't that be a target to strive for?
On 2023/03/29 10:56, Olaf Hopp (SCC) via Exim-users wrote:
> On 3/28/23 15:59, Mike Tubby via Exim-users wrote:
>> Hi Olaf,
>>
>>
>> outbound_force_tls:
>> driver = dnslookup
>> domains = +tls_force_remote_domains
>> transport = remote_smtp_force_tls
>>
>>
>> outbound_lookup:
>> driver = dnslookup
>> domains = ! +local_domains
>> transport = remote_smtp
>> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>> no_more
>>
>>
>> and then this in my transports:
>> remote_smtp:
>> driver = smtp
>>
>> remote_smtp_force_tls:
>> driver = smtp
>> hosts_require_tls = *
>> hosts_try_fastopen = !*.l.google.com
>> tls_require_ciphers = HIGH:!SRP:!PSK:!SHA:@STRENGTH
>>
>>
>
> Hi Mike,
> thanks for your code. But my question was not how to implement
> "domains-with-force-TLS"
> This is already solved and I ended up with two almost identical routers
> and two almost identical transports. Your config also uses 2 routers
> and 2 transports.
> In my case these routers and transports are lengthy and also do all of
> the DKIM signing stuff.
> And my question was to rid of the second router and transport and to
> consolidate my code.
>
> Jeremys proposal sounded promising at first look, but after his
> correction
> that I have to use "max_rcpts = 1" and that these are my main routers
> / transports
> handling ~200k Mails per day I decided still to live with 2 pairs of
> routers and transports
> and keep in mind, when I change one of them, I have to change the
> other one as well.
> "max_rcpts = 1" seems to "expensive" in my use case.
>
> Regards , Olaf
>
>
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA:
https://ftth.posix.co.za
<
https://ftth.posix.co.za>