------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
http://www.exim.org/bugzilla/show_bug.cgi?id=511
Summary: tls_verify_hosts does not require TLS
Product: Exim
Version: 4.67
Platform: Other
URL: http://bugs.debian.org/422419
OS/Version: Linux
Status: NEW
Severity: wishlist
Priority: medium
Component: Documentation
AssignedTo: ph10@hermes.cam.ac.uk
ReportedBy: mh+exim-bugzilla@zugschlus.de
QAContact: exim-dev@exim.org
Hi,
this issue is from the Debian BTS, issue #42219:
It should be clarified in the documentation that tls_verify_hosts only
applies to TLS sessions. That is, if a sending host matched in
tls_verify_hosts does not attempt to use TLS, it can still send messages
unencrypted.
The issue report also has text for docs improvement:
tls_verify_hosts Use: main Type: host list† Default:
unset
This option, along with tls_try_verify_hosts, controls the checking of
certificates from clients. The expected certificates are defined by
tls_verify_certificates, which must be set. A configuration error occurs if
either tls_verify_hosts or tls_try_verify_hosts is set and
tls_verify_certificates is not set.
Any client that matches tls_verify_hosts is constrained by
tls_verify_certificates. The client must present one of the listed
certificates. If it does not, the connection is aborted.
++Listing a host in tls_verify_hosts does not directly require the host
++to actually use TLS. It can still send SMTP commands through
++unencrypted connections. Enforcing TLS for a host needs to be done
++separately using ACLs.
A weaker form of checking is provided by tls_try_verify_hosts. If a client
matches this option (but not tls_verify_hosts), Exim requests a certificate and
checks it against tls_verify_certificates, but does not abort the connection if
there is no certificate or if it does not match. This state can be detected in
an ACL, which makes it possible to implement policies such as “accept for
relay
only if a verified certificate has been received, but accept for local delivery
if encrypted, even without a verified certificate”.
Client hosts that match neither of these lists are not asked to present
certificates.
Exim allows to enforce TLS encryption and to enforce
certificate verification for tls-protected connections, it is easy to
put both together. I guess this is usually done automatically, by both
requiring SMTP AUTH and only advertising SMTP AUTH on TLS pretected
connections.
######################################
hostlist youmustusedverifiedtls = blah.example.com : foo.example.com
tls_verify_hosts = +youmustusedverifiedtls
[...]
begin acl
acl_check_mail:
deny
message = No TLS encryption used
hosts = +youmustusedverifiedtls
condition = ${if eq{$tls_cipher}{}{yes}{no}}
######################################
The condition could probably also be wetten as ! encrypted = *
Please feel free to take any of these suggestions for the exim docs.
--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email
--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
You are the QA contact for the bug, or are watching the QA contact.
http://www.exim.org/bugzilla/show_bug.cgi?id=511
Summary: tls_verify_hosts does not require TLS
Product: Exim
Version: 4.67
Platform: Other
URL: http://bugs.debian.org/422419
OS/Version: Linux
Status: NEW
Severity: wishlist
Priority: medium
Component: Documentation
AssignedTo: ph10@hermes.cam.ac.uk
ReportedBy: mh+exim-bugzilla@zugschlus.de
QAContact: exim-dev@exim.org
Hi,
this issue is from the Debian BTS, issue #42219:
It should be clarified in the documentation that tls_verify_hosts only
applies to TLS sessions. That is, if a sending host matched in
tls_verify_hosts does not attempt to use TLS, it can still send messages
unencrypted.
The issue report also has text for docs improvement:
tls_verify_hosts Use: main Type: host list† Default:
unset
This option, along with tls_try_verify_hosts, controls the checking of
certificates from clients. The expected certificates are defined by
tls_verify_certificates, which must be set. A configuration error occurs if
either tls_verify_hosts or tls_try_verify_hosts is set and
tls_verify_certificates is not set.
Any client that matches tls_verify_hosts is constrained by
tls_verify_certificates. The client must present one of the listed
certificates. If it does not, the connection is aborted.
++Listing a host in tls_verify_hosts does not directly require the host
++to actually use TLS. It can still send SMTP commands through
++unencrypted connections. Enforcing TLS for a host needs to be done
++separately using ACLs.
A weaker form of checking is provided by tls_try_verify_hosts. If a client
matches this option (but not tls_verify_hosts), Exim requests a certificate and
checks it against tls_verify_certificates, but does not abort the connection if
there is no certificate or if it does not match. This state can be detected in
an ACL, which makes it possible to implement policies such as “accept for
relay
only if a verified certificate has been received, but accept for local delivery
if encrypted, even without a verified certificate”.
Client hosts that match neither of these lists are not asked to present
certificates.
Exim allows to enforce TLS encryption and to enforce
certificate verification for tls-protected connections, it is easy to
put both together. I guess this is usually done automatically, by both
requiring SMTP AUTH and only advertising SMTP AUTH on TLS pretected
connections.
######################################
hostlist youmustusedverifiedtls = blah.example.com : foo.example.com
tls_verify_hosts = +youmustusedverifiedtls
[...]
begin acl
acl_check_mail:
deny
message = No TLS encryption used
hosts = +youmustusedverifiedtls
condition = ${if eq{$tls_cipher}{}{yes}{no}}
######################################
The condition could probably also be wetten as ! encrypted = *
Please feel free to take any of these suggestions for the exim docs.
--
Configure bugmail: http://www.exim.org/bugzilla/userprefs.cgi?tab=email
--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##