On 10/08/16 15:20, Mark Elkins wrote: > Without DANE/TLSA records. > > ------------------- > > (1) When two Mail Servers talk and discover (opportunistically) that > they can both talk SSL/TLS, does the Sender ever check the Receivers > Certificate to make sure that Primary or Alternative names match the > Receiving Server it is trying to connect to?
It's up to it to do so. In Exim, you have to ask for that - tls_verify_hosts and tls_verify_cert_hostnames on the smtp transport. > (3) What makes a Sending mail server ever connect to port 465 of a > receiving mail server, except the obvious of some sort of static > configuration? Exim can be pretty dynamic... but that's not really what you're asking for. There's a little-used DNS record type called "SRV" that can help. See, eg, the wikipedia description. In Exim, see the check_srv option on the dnslookup router. > ------------------- > > With DANE: [...] > I personally think it _should_ work - but don't know. (Have not yet got > Exim to speak DANE, or found the HowTo which describes this). See the experimental-spec.txt file. You have to deliberately compile with DANE support, and with OpenSSL. There's no GnuTLS support yet (hence the lack of it in the mainline). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
