summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2018-03-28 21:41:20 -0400
committerPhil Pennock <pdp@exim.org>2018-03-28 21:41:20 -0400
commit405074adb94eb8402e9ffd0abe7da4f7c8c827bc (patch)
tree9a8cb2a2e2b6e43fd48d723f0ddc9a05c2038e22
parentc3d43245c842965fed6a9153f9c6e9e8be326b7c (diff)
Document new dane_require_tls_ciphers
Haven't written the code yet, but writing the docs first helped me affirm that this makes sense and feels clean. Code in next commit.
-rw-r--r--doc/doc-docbook/spec.xfpt16
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--doc/doc-txt/NewStuff1
-rw-r--r--doc/doc-txt/OptionLists.txt5
4 files changed, 20 insertions, 5 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 2dbe6d2d3..9722c0063 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28102,8 +28102,7 @@ that DNS lookups they do for the server have not been tampered with. The domain
to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
DNSSEC.
2) add TLSA DNS records. These say what the server certificate for a TLS connection should be.
-3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one
-defined by (one of?) the TSLA records
+3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records.
There are no changes to Exim specific to server-side operation of DANE.
Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
@@ -28158,8 +28157,9 @@ This modification of hosts_request_ocsp is only done if it has the default value
those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
-For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&.
-The latter variant will result in failure if the target host is not DNSSEC-secured.
+For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%&
+and &%dane_require_tls_ciphers%&.
+The require variant will result in failure if the target host is not DNSSEC-secured.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
@@ -28168,6 +28168,14 @@ If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
+If DANE is requested and usable, then the TLS cipher list configuration
+prefers to use the option &%dane_require_tls_ciphers%& and falls
+back to &%tls_require_ciphers%& only if that is unset.
+This lets you configure "decent crypto" for DANE and "better than nothing
+crypto" as the default. Note though that while GnuTLS lets the string control
+which versions of TLS/SSL will be negotiated, OpenSSL does not and you're
+limited to ciphersuite constraints.
+
If DANE is requested and useable (see above) the following transport options are ignored:
.code
hosts_require_tls
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 201e21207..8d1b33bc2 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -187,6 +187,9 @@ JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses)
in defer=pass mode supply a 450 to the initiator. Previously the message
would be spooled.
+PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
+ tls_require_ciphers is used as before.
+
Exim version 4.90
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 58f3f2054..4bf04ec8d 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -14,6 +14,7 @@ Version 4.91
2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
OpenSSL versions are moved to mainline support from Experimental.
+ New SMTP transport option "dane_require_tls_ciphers".
3. Feature macros for the compiled-in set of malware scanner interfaces.
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 1fe72be6b..dfb0219cb 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -149,12 +149,13 @@ current_directory string unset transports
daemon_smtp_ports string unset main 1.75 pluralised in 4.21
daemon_startup_retries int 9 main 4.52
daemon_startup_sleep time 30s main 4.52
+dane_require_tls_ciphers string* unset smtp 4.91
data string unset redirect 4.00
data_timeout time 5m smtp
debug_print string* unset authenticators 4.00
unset routers 4.00
unset transports 2.00
-debug_store boolean false main 4.90
+debug_store boolean false main 4.90
delay_after_cutoff boolean true smtp
delay_warning time list 24h main
delay_warning_condition string* + main 1.73
@@ -300,10 +301,12 @@ hosts_override boolean false smtp
hosts_randomize boolean false manualroute 4.00
false smtp 3.14
hosts_require_auth host list unset smtp 4.00
+hosts_require_dane host list unset smtp 4.91 (4.85 experimental)
hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp
hosts_require_tls host list unset smtp 3.20
hosts_treat_as_local domain list unset main 1.95
hosts_try_auth host list unset smtp 4.00
+hosts_try_dane host list unset smtp 4.91 (4.85 experimental)
hosts_try_fastopen host list unset smtp 4.88
hosts_try_prdr host list unset smtp 4.82 if experimental_prdr
ibase_servers string unset main 4.23