Bug#422419: exim4: tls_verify_hosts only applies during TLS sessions

Sun May 6 07:57:16 UTC 2007

On 2007-05-05 Oskar Liljeblad <oskar at osk.mine.nu> wrote:
> Package: exim4
> Version: 4.63-17
> Severity: minor

> It should be clarified in the documentation that tls_verify_hosts only
> applies to TLS sessions. That is, if a sending host matched in
> tls_verify_hosts does not attempt to use TLS, it can still send messages
> unencrypted.

You'd be happy with something like this?

tls_verify_hosts        Use: main       Type: host list†        Default: unset

This option, along with tls_try_verify_hosts, controls the checking of
certificates from clients. The expected certificates are defined by
tls_verify_certificates, which must be set. A configuration error occurs if
either tls_verify_hosts or tls_try_verify_hosts is set and
tls_verify_certificates is not set.

Any client that matches tls_verify_hosts is constrained by
tls_verify_certificates. The client must present one of the listed
certificates. If it does not, the connection is aborted.
++Listing a host in tls_verify_hosts does not directly require the host
++to actually use TLS. It can still send SMTP commands through
++unencrypted connections. Enforcing TLS for a host needs to be done
++separately using ACLs.

A weaker form of checking is provided by tls_try_verify_hosts. If a client
matches this option (but not tls_verify_hosts), Exim requests a certificate and
checks it against tls_verify_certificates, but does not abort the connection if
there is no certificate or if it does not match. This state can be detected in
an ACL, which makes it possible to implement policies such as “accept for relay
only if a verified certificate has been received, but accept for local delivery
if encrypted, even without a verified certificate”.

Client hosts that match neither of these lists are not asked to present
certificates. 

> This makes tls_verify_hosts pretty useless, but that's just my humble
> opinion...
[...]

Exim allows to enforce TLS encryption and to enforce
certificate verification for tls-protected connections, it is easy to
put both together. I guess this is usually done automatically, by both
requiring SMTP AUTH and only advertising SMTP AUTH on TLS pretected
connections.

######################################
hostlist youmustusedverifiedtls = blah.example.com : foo.example.com

tls_verify_hosts = +youmustusedverifiedtls
[...]

begin acl
acl_check_mail:
        deny
                message = No TLS encryption used
                hosts = +youmustusedverifiedtls
                condition = ${if eq{$tls_cipher}{}{yes}{no}}
######################################

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'