Haven't written the code yet, but writing the docs first helped me
affirm that this makes sense and feels clean. Code in next commit.
to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
DNSSEC.
2) add TLSA DNS records. These say what the server certificate for a TLS connection should be.
to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
DNSSEC.
2) add TLSA DNS records. These say what the server certificate for a TLS connection should be.
-3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one
-defined by (one of?) the TSLA records
+3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records.
There are no changes to Exim specific to server-side operation of DANE.
Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
There are no changes to Exim specific to server-side operation of DANE.
Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
-For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&.
-The latter variant will result in failure if the target host is not DNSSEC-secured.
+For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%&
+and &%dane_require_tls_ciphers%&.
+The require variant will result in failure if the target host is not DNSSEC-secured.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
+If DANE is requested and usable, then the TLS cipher list configuration
+prefers to use the option &%dane_require_tls_ciphers%& and falls
+back to &%tls_require_ciphers%& only if that is unset.
+This lets you configure "decent crypto" for DANE and "better than nothing
+crypto" as the default. Note though that while GnuTLS lets the string control
+which versions of TLS/SSL will be negotiated, OpenSSL does not and you're
+limited to ciphersuite constraints.
+
If DANE is requested and useable (see above) the following transport options are ignored:
.code
hosts_require_tls
If DANE is requested and useable (see above) the following transport options are ignored:
.code
hosts_require_tls
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
+PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
+ tls_require_ciphers is used as before.
+
Exim version 4.90
-----------------
Exim version 4.90
-----------------
2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
OpenSSL versions are moved to mainline support from Experimental.
2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
OpenSSL versions are moved to mainline support from Experimental.
+ New SMTP transport option "dane_require_tls_ciphers".
3. Feature macros for the compiled-in set of malware scanner interfaces.
3. Feature macros for the compiled-in set of malware scanner interfaces.
daemon_smtp_ports string unset main 1.75 pluralised in 4.21
daemon_startup_retries int 9 main 4.52
daemon_startup_sleep time 30s main 4.52
daemon_smtp_ports string unset main 1.75 pluralised in 4.21
daemon_startup_retries int 9 main 4.52
daemon_startup_sleep time 30s main 4.52
+dane_require_tls_ciphers string* unset smtp 4.91
data string unset redirect 4.00
data_timeout time 5m smtp
debug_print string* unset authenticators 4.00
unset routers 4.00
unset transports 2.00
data string unset redirect 4.00
data_timeout time 5m smtp
debug_print string* unset authenticators 4.00
unset routers 4.00
unset transports 2.00
-debug_store boolean false main 4.90
+debug_store boolean false main 4.90
delay_after_cutoff boolean true smtp
delay_warning time list 24h main
delay_warning_condition string* + main 1.73
delay_after_cutoff boolean true smtp
delay_warning time list 24h main
delay_warning_condition string* + main 1.73
hosts_randomize boolean false manualroute 4.00
false smtp 3.14
hosts_require_auth host list unset smtp 4.00
hosts_randomize boolean false manualroute 4.00
false smtp 3.14
hosts_require_auth host list unset smtp 4.00
+hosts_require_dane host list unset smtp 4.91 (4.85 experimental)
hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp
hosts_require_tls host list unset smtp 3.20
hosts_treat_as_local domain list unset main 1.95
hosts_try_auth host list unset smtp 4.00
hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp
hosts_require_tls host list unset smtp 3.20
hosts_treat_as_local domain list unset main 1.95
hosts_try_auth host list unset smtp 4.00
+hosts_try_dane host list unset smtp 4.91 (4.85 experimental)
hosts_try_fastopen host list unset smtp 4.88
hosts_try_prdr host list unset smtp 4.82 if experimental_prdr
ibase_servers string unset main 4.23
hosts_try_fastopen host list unset smtp 4.88
hosts_try_prdr host list unset smtp 4.82 if experimental_prdr
ibase_servers string unset main 4.23
git://git.exim.org / exim.git / commitdiff