Author: Phil Pennock Date: To: Jeremy Harris CC: exim-users Subject: Re: [exim] tls_verify_hostname
On 2012-04-16 at 21:51 +0100, Jeremy Harris wrote: > On 2012-04-16 07:52, Phil Pennock wrote:
> > we'd better have DNSSEC
> > support in Exim
> Also a good notion. Wishlist item, or should it be handled by some
> other software component on the system (nscd, etc.)?
Should be able to set it as a resolver client option and check bits in
the result, leaving it up to the administrator to install a verifying
resolver. That way we avoid implementing a lot of logic which breaks
with new algorithms, bug-fixes etc, and which is prone to security
implications. We just delegate. The admin can install "unbound" or
configure "bind" to verify, or whatever.
> > I suspect that
> > we'd be better off with DN parse routines exposed as expansion
> > operators (or items), which would help with LDAP too.
> That would work. It's not something I know about; does anyone
> else work in that area who's prepared to take it on?
I didn't look but assumed that the actual parse logic was necessarily in
the original patch, to be able to get CN out.
> > TLS debugging: I'm all in favour of more detailed information in debug
> > logs.
> The implication is that it got lost and ought to
> be accepted, as opposed to wasn't found useful?
I wasn't an Exim developer in 2002. I have no context, beyond what I
saw in the thread, which suggests that things simply got lost.
This message was posted to the following mailing lists: