The subject line caught my interest.
My mail domain is DNSSEC Signed and I have SSL/TLS Certificates (Let's
Encrypt - which I've automated) that cover it - and have implemented
TLSA records for my mail server a few years back. So if the recipient
SMTP server also happens to have a TLSA DNS record - I see no reason to
have a database record that includes it and would think the only
"Domains I must use TLS with" are domains that do not have a TLSA
record. This would reduce the size of your Database table - which one
day could be of Zero size. Wouldn't that be a target to strive for?
On 2023/03/29 10:56, Olaf Hopp (SCC) via Exim-users wrote:
On 3/28/23 15:59, Mike Tubby via Exim-users wrote:
Hi Olaf,
outbound_force_tls:
driver = dnslookup
domains = +tls_force_remote_domains
transport = remote_smtp_force_tls
outbound_lookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
and then this in my transports:
remote_smtp:
driver = smtp
remote_smtp_force_tls:
driver = smtp
hosts_require_tls = *
hosts_try_fastopen = !*.l.google.com
tls_require_ciphers = HIGH:!SRP:!PSK:!SHA:@STRENGTH
Hi Mike,
thanks for your code. But my question was not how to implement
"domains-with-force-TLS"
This is already solved and I ended up with two almost identical routers
and two almost identical transports. Your config also uses 2 routers
and 2 transports.
In my case these routers and transports are lengthy and also do all of
the DKIM signing stuff.
And my question was to rid of the second router and transport and to
consolidate my code.
Jeremys proposal sounded promising at first look, but after his
correction
that I have to use "max_rcpts = 1" and that these are my main routers
/ transports
handling ~200k Mails per day I decided still to live with 2 pairs of
routers and transports
and keep in mind, when I change one of them, I have to change the
other one as well.
"max_rcpts = 1" seems to "expensive" in my use case.
Regards , Olaf
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/