On Sat, Oct 30, 2021 at 10:46:24AM +0300, Evgeniy Berdnikov via Exim-users wrote:
> > This seems like a footgun combination of configuration options. [...] > > How Exim is doing TLS fallback is described here: > > > https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTclientTLS > > As I understand, peer's certificate validation failure is one variant of > general TLS negotiation failure, resulting in fallback to plain text if > tls_tempfail_tryclear option of SMTP transport is "true" (default). Yes, but this is an "opt-in" failure mode. You don't have to try to verify, and even if you try to verify you don't have to choose to abort the handshake when verification fails. Note that X.509 certificate verification lies outside of TLS, and is in an entirely separate library in some TLS stacks. Certificate verification failure is only a TLS handshake failure if one chooses it to be. The only reason to abort the handshake on verification failure is if you insist on a secure connection, and then you'd better not fall back to cleartext which would be just absurd. Either require a secure connection, or don't, ... the combination of behaviours makes no sense. Yes, Exim currently makes it possible, but that such booby traps for the user are design errors, when they're not (as in this case) just implementation bugs. -- Viktor. P.S. In Postfix we never abort a TLS handshake due to verification failure even when authentication is required. Instead we let the handshake complete, and then, if verification was required, but did not succeed, politely terminate the connection (by sending QUIT) without sending the message. Some day I may define an SMTP extension for in-band signalling of authentication failures, that servers can offer if they want near real-time notification that clients are seeing problems with the server certificates. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
