Re: [exim] Something like "domains_require_tls"

Wed, 29 Mar 2023 03:20:43 -0700 

The subject line caught my interest.
My mail domain is DNSSEC Signed and I have SSL/TLS Certificates (Let's Encrypt - which I've automated) that cover it - and have implemented TLSA records for my mail server a few years back. So if the recipient SMTP server also happens to have a TLSA DNS record - I see no reason to have a database record that includes it and would think the only "Domains I must use TLS with" are domains that do not have a TLSA record. This would reduce the size of your Database table - which one day could be of Zero size. Wouldn't that be a target to strive for? 


On 2023/03/29 10:56, Olaf Hopp (SCC) via Exim-users wrote:

On 3/28/23 15:59, Mike Tubby via Exim-users wrote:

Hi Olaf,


outbound_force_tls:
         driver = dnslookup
         domains = +tls_force_remote_domains
         transport = remote_smtp_force_tls


outbound_lookup:
         driver = dnslookup
         domains = ! +local_domains
         transport = remote_smtp
         ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
         no_more


and then this in my transports:
remote_smtp:
   driver = smtp

remote_smtp_force_tls:
   driver = smtp
   hosts_require_tls = *
   hosts_try_fastopen = !*.l.google.com
   tls_require_ciphers = HIGH:!SRP:!PSK:!SHA:@STRENGTH




Hi Mike,

thanks for your code. But my question was not how to implement 
"domains-with-force-TLS"

This is already solved and I ended up with two almost identical routers

and two almost identical transports. Your config also uses 2 routers 
and 2 transports.
In my case these routers and transports are lengthy and also do all of 
the DKIM signing stuff.
And my question was to rid of the second router and transport and to 
consolidate my code.



Jeremys proposal sounded promising at first look, but after his 
correction
that I have to use "max_rcpts = 1" and that these are my main routers 
/ transports
handling ~200k Mails per day I decided still to live with 2 pairs of 
routers and transports
and keep in mind, when I change one of them, I have to change the 
other one as well.

"max_rcpts = 1" seems to "expensive" in my use case.

Regards , Olaf




--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 <tel:+27826010496>

For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/























					Reply via email to