On 06/07/2024 21:08, Wolfgang via Exim-users wrote:
> Ok, now I dowloaded OpenSSL 3.3.1 as well, compiled and installed it. I afterwards build exim
> againts this OpenSSL installation.
> I received the result, that my exim is not using SNI in STARTTLS!
>
> In
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
> I am reading:
>
>> If DANE validated the connection attempt then the value of the tls_sni option is
>> forced to the name of the destination host, after any MX- or CNAME-following.
>
> But that seems not to be true!
Actually, you don't know whether the option was forced. Only the result on the
connection - which you have not described how you evaluated.
One possibility (but I find it most unlikely) is that the OpenSSL library you
are using was built without "TLS extensions" support. See the comment in that docs chapter,
which give a way to check on that.
> Can someone point me to a solution, how I can tell exim using SNI everytime, when opening a TLS
> connection? I can't imagine, that I have to do a hostname lookup before and setting $tls_in_sni.
A point of confusion there: $tls_in_sni is a variable giving the SNI value
for a received connection, when Exim is operating as the passive end.
The docs sentence you gave is talking about the SMTP transport, and its options.
Transports deal with connections initiated by Exim.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
