Exim-dev wrote:
> If DANE validated the connection attempt then the value of the &%tls_sni%&
> option
> -is forced to the domain part of the recipient address.
> +is forced to the name of the destination host, after any MX- or
> CNAME-folowing.
Good morning,
just saw the patch in git history a
https://bugs.exim.org/show_bug.cgi?id=2265
Jeremy Harris changed:
What|Removed |Added
Resolution|--- |FIXED
Status|ASSIGNED
https://bugs.exim.org/show_bug.cgi?id=2265
Jeremy Harris changed:
What|Removed |Added
Status|ASSIGNED|RESOLVED
Resolution|---
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #13 from Git Commit ---
Git commit:
https://git.exim.org/exim.git/commitdiff/79aa468aad79f9f1f46efe6a1b2340e7af6fe6f7
commit 79aa468aad79f9f1f46efe6a1b2340e7af6fe6f7
Author: Heiko Schlittermann (HS12-RIPE)
AuthorDate: Mon May 3 15:53:28
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #12 from Git Commit ---
Git commit:
https://git.exim.org/exim.git/commitdiff/f093e580a55ad4d41a3ba70bae265b131b5c3bbb
commit f093e580a55ad4d41a3ba70bae265b131b5c3bbb
Author: Jeremy Harris
AuthorDate: Mon Sep 28 22:41:10 2020 +0100
Commi
https://bugs.exim.org/show_bug.cgi?id=2265
Jeremy Harris changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #11 from Jeremy Harris ---
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #10 from Git Commit ---
Git commit:
https://git.exim.org/exim.git/commitdiff/99350dede64ad634300ddf15d0d97a81fd75d330
commit 99350dede64ad634300ddf15d0d97a81fd75d330
Author: Jeremy Harris
AuthorDate: Sun Aug 23 15:32:48 2020 +0100
Commi
https://bugs.exim.org/show_bug.cgi?id=2265
Git Commit changed:
What|Removed |Added
CC||g...@exim.org
--- Comment #9 from Git Commit ---
G
On 17/08/2020 23:33, Viktor Dukhovni via Exim-dev wrote:
> The Exim case should be somewhat simpler since nothing is persisted
> out of process
Not so.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
> On Aug 17, 2020, at 7:08 PM, admin--- via Exim-dev wrote:
>
> https://bugs.exim.org/show_bug.cgi?id=2265
>
> --- Comment #8 from Jeremy Harris ---
> Disabling multi_domain turns out to be Extremely Painful because we don't find
> out
> that DANE was used until deep in the transport, well afte
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #8 from Jeremy Harris ---
Disabling multi_domain turns out to be Extremely Painful because we don't find
out
that DANE was used until deep in the transport, well after the addresslist was
built for a message - combined with all the ways Exim
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #7 from Jeremy Harris ---
Seems plausible; all we need is for someone to put in the coding and testing
effort.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #6 from Phil Pennock ---
Viktor notes on exim-users:
---
Thanks for bringing this up. Indeed for DANE it is essential to ignore
any statically configured value and use the "TLSA base domain".
Otherwise, the cert chain you get may well not be
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #5 from Jeremy Harris ---
You're right about $tls_out_dane not being set early enough, and I do see the
simplicity point. It does see a shame to lose the flexibility of being able to
set an SNI to something nonstandard though. As a usable v
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #4 from Phil Pennock ---
(Patch is reversed.)
The issue I see is that we don't switch transports based upon DANE or not, or
have a way to skip a router if DANE fails (since that's something for later, at
SMTP time, when checking hosts). So
https://bugs.exim.org/show_bug.cgi?id=2265
Jeremy Harris changed:
What|Removed |Added
CC||jgh146...@wizmail.org
--- Comment #3 from Jeremy
> On Apr 17, 2018, at 4:37 PM, admin--- via Exim-dev wrote:
>
> SNI for a DANE-advertising site has to be different than one that does not?
> Sheesh. Does that not implicitly require that _all_ clients be DANE-aware,
> or that _all_ DANE-advertising hosts be prepared to be hit with SNI from
>
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #2 from Phil Pennock ---
DANE requires that SNI point to the MX hostname, to make it easier to manage
mass-hosting. This is a good stance but requires DNSSEC to be safe. The
hostname to be verified in a certificate should be the hostname fr
https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #1 from Jeremy Harris ---
SNI for a DANE-advertising site has to be different than one that does not?
Sheesh. Does that not implicitly require that _all_ clients be DANE-aware,
or that _all_ DANE-advertising hosts be prepared to be hit with
19 matches
Mail list logo
