On 30 Oct 2021, at 10:13, Viktor Dukhovni via Exim-users
wrote:
> The only reason to abort the handshake on verification failure is if you
> insist on a secure connection, and then you'd better not fall back to
> cleartext which would be just absurd. Either require a secure
> connection, or don'
On Sat, Oct 30, 2021 at 02:09:21PM +0200, Slavko via Exim-users wrote:
> It is useless to use TLS for moving messages eg. between LXC hosts (not
> VPS) or for delegating delivery to other MDA, when it stays on the same
> machine. If someone can gain root access to inspect/intercept them,
> then it
On Sat, Oct 30, 2021 at 02:52:00PM +0200, Slavko via Exim-users wrote:
> D??a Sat, 30 Oct 2021 13:38:40 +0100 Dominik Vogt via Exim-users
> napísal:
> > That says that all of these are undefined. So, to enforce TLS and
> > certificate verification I sould set
> >
> > MAIN_TLS_VERIFY_HOSTS = *
>
On Sat, Oct 30, 2021 at 12:37:50PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/10/2021 11:56, Dominik Vogt via Exim-users wrote:
> > The Debian-11/Devuan-4 defaults for "SMARTHOST for outgoing main,
> > fetchmail for incoming mail" are what caused this:
> >
> > .ifdef MAIN_TLS_VERIFY_HOSTS
Ahoj,
Dňa Sat, 30 Oct 2021 13:38:40 +0100 Dominik Vogt via Exim-users
napísal:
> That says that all of these are undefined. So, to enforce TLS and
> certificate verification I sould set
>
> MAIN_TLS_VERIFY_HOSTS = *
> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
yes
> Somewhere at the begi
Ahoj,
Dňa Sat, 30 Oct 2021 07:11:18 -0400 Viktor Dukhovni via Exim-users
napísal:
> No. Rather than random ad-hoc policies, we implement and evolve
> standards. Thus we have:
It seems, that we are talking about different cases. You are talking
about remote/foreign hosts, and i am talking abou
On 30/10/2021 11:56, Dominik Vogt via Exim-users wrote:
No idea to what values of the upper case variables are in the
first place. Are they defined at compile time; is there a way to
look them up, other than from the Debian src package?
They are macros, not variables. They will be defined som
On Sat, Oct 30, 2021 at 11:58:56AM +0200, Slavko via Exim-users wrote:
> > smtp_tls_security_level = none | may | encrypt | fingerprint | dane |
> > secure
>
> I think, that ideal MTA must have option:
>
> guess_tls_verify = no | user | admin
>
> That "guess" part points to deciding wha
On Sat, Oct 30, 2021 at 11:56:21AM +0100, Dominik Vogt via Exim-users wrote:
> > * Use a certiticate that verifyable without client-side changes., e.g. setup
> > DANE on the server and/or use e.g. a letsencrypt cert.
>
> It's not my server, but the colleague says it supports DANE. I
> may look
On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
>
> If a host is in tls_verify_hosts and hosts_try_tls but not in
> hosts_require_tls exim will fall back to cleartext.
The Debian-11/Devuan-4 defaults for "SMARTHOST for outgoing main,
fetchmail for incoming mail" are
On 30/10/2021 00:01, Dominik Vogt via Exim-users wrote:
Since the Devuan 3 to 4 upgrade, my Exim 4.94.2 installation has a
problem with TLS certificates.
The local exit is set up to relay outgoing mail that is sent by
user X to server B and all other outgoing mail to server A. Both
servers requ
Hi,
Dňa Sat, 30 Oct 2021 02:56:40 -0400 Viktor Dukhovni via Exim-users
napísal:
> Thus:
>
> smtp_tls_security_level = none | may | encrypt | fingerprint |
> dane | secure
I think, that ideal MTA must have option:
guess_tls_verify = no | user | admin
in "admin" mode, it will reject to
Hi,
Dňa Sat, 30 Oct 2021 00:01:39 +0100 Dominik Vogt via Exim-users
napísal:
> How can this be fixed or at least debugged?
As you pointed elsewhere, you are using self signed certificate.
Self signed certificates are OK with one exception, they can be
validated only by self (as name suggests).
On Sat, Oct 30, 2021 at 10:46:24AM +0300, Evgeniy Berdnikov via Exim-users
wrote:
> > This seems like a footgun combination of configuration options. [...]
>
> How Exim is doing TLS fallback is described here:
>
>
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_
On Sat, Oct 30, 2021 at 02:56:40AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users
> wrote:
>
> > > Is it really true that for lack of valid certificate there's a way to
> > > get Exim to fall back to cleartext instead???
> >
On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
> > Is it really true that for lack of valid certificate there's a way to
> > get Exim to fall back to cleartext instead???
>
> If a host is in tls_verify_hosts and hosts_try_tls but not in
> hosts_require_tls exim wi
On 2021-10-30 Viktor Dukhovni via Exim-users wrote:
[...]
> Is it really true that for lack of valid certificate there's a way to
> get Exim to fall back to cleartext instead???
Good morning,
If a host is in tls_verify_hosts and hosts_try_tls but not in
hosts_require_tls exim will fall back to c
On Sat, Oct 30, 2021 at 12:01:39AM +0100, Dominik Vogt via Exim-users wrote:
> The local Exim is set up to relay outgoing mail that is sent by
> user X to server B and all other outgoing mail to server A. Both
> servers require TLS for outgoing mail. But Exim does not use TLS
> for server B and
Since the Devuan 3 to 4 upgrade, my Exim 4.94.2 installation has a
problem with TLS certificates.
The local exit is set up to relay outgoing mail that is sent by
user X to server B and all other outgoing mail to server A. Both
servers require TLS for outgoing mail. But exit does not use TLS
for
On Sat, Oct 30, 2021 at 12:01:39AM +0100, Dominik Vogt wrote:
> Since the Devuan 3 to 4 upgrade, my Exim 4.94.2 installation has a
> problem with TLS certificates.
>
> The local exit is set up to relay outgoing mail that is sent by
> user X to server B and all other outgoing mail to server A. Both
20 matches
Mail list logo
