Move connect ACL before TLS-on-connect

author: Jeremy Harris <jgh146exb@wizmail.org> 2022-12-10 10:47:05 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2022-12-10 15:53:02 +0000
commit: 4243a209fd9499f30bebd58ceaa2d0d9845407ae (patch)
tree: b41720cfb1bb6ed0089d6096835587df8d0f5bdd /doc/doc-txt
parent: f31b1cd64dfcc7e6a8860ee418543949effd517e (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5ac91dc99..f8ab5da0c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -66,6 +66,15 @@ JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument
       included a close-brace character (eg. it itself used an expansion) an
       error occurred.
 
+JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports,
+      starting TLS.  Previously it was after, meaning that attackers on such
+      ports had to be screened using the host_reject_connection main config
+      option. The new sequence aligns better with the STARTTLS behaviour, and
+      permits defences against crypto-processing load attacks, even though it
+      is strictly an incompatible change.
+      Also, avoid sending any SMTP fail response for either the connect ACL
+      or host_reject_connection, for TLS-on-connect ports.
+
 
 Exim version 4.96
 -----------------
author	Jeremy Harris <jgh146exb@wizmail.org>	2022-12-10 10:47:05 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2022-12-10 15:53:02 +0000
commit	4243a209fd9499f30bebd58ceaa2d0d9845407ae (patch)
tree	b41720cfb1bb6ed0089d6096835587df8d0f5bdd /doc/doc-txt
parent	f31b1cd64dfcc7e6a8860ee418543949effd517e (diff)