From 405074adb94eb8402e9ffd0abe7da4f7c8c827bc Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 28 Mar 2018 21:41:20 -0400 Subject: Document new dane_require_tls_ciphers Haven't written the code yet, but writing the docs first helped me affirm that this makes sense and feels clean. Code in next commit. --- doc/doc-docbook/spec.xfpt | 16 ++++++++++++---- doc/doc-txt/ChangeLog | 3 +++ doc/doc-txt/NewStuff | 1 + doc/doc-txt/OptionLists.txt | 5 ++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 2dbe6d2d3..9722c0063 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -28102,8 +28102,7 @@ that DNS lookups they do for the server have not been tampered with. The domain to this server, its A record, its TLSA record and any associated CNAME records must all be covered by DNSSEC. 2) add TLSA DNS records. These say what the server certificate for a TLS connection should be. -3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one -defined by (one of?) the TSLA records +3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records. There are no changes to Exim specific to server-side operation of DANE. Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes @@ -28158,8 +28157,9 @@ This modification of hosts_request_ocsp is only done if it has the default value those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings. -For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&. -The latter variant will result in failure if the target host is not DNSSEC-secured. +For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%& +and &%dane_require_tls_ciphers%&. +The require variant will result in failure if the target host is not DNSSEC-secured. DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. @@ -28168,6 +28168,14 @@ If a TLSA lookup is done and succeeds, a DANE-verified TLS connection will be required for the host. If it does not, the host will not be used; there is no fallback to non-DANE or non-TLS. +If DANE is requested and usable, then the TLS cipher list configuration +prefers to use the option &%dane_require_tls_ciphers%& and falls +back to &%tls_require_ciphers%& only if that is unset. +This lets you configure "decent crypto" for DANE and "better than nothing +crypto" as the default. Note though that while GnuTLS lets the string control +which versions of TLS/SSL will be negotiated, OpenSSL does not and you're +limited to ciphersuite constraints. + If DANE is requested and useable (see above) the following transport options are ignored: .code hosts_require_tls diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 201e21207..8d1b33bc2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -187,6 +187,9 @@ JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses) in defer=pass mode supply a 450 to the initiator. Previously the message would be spooled. +PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, + tls_require_ciphers is used as before. + Exim version 4.90 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 58f3f2054..4bf04ec8d 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -14,6 +14,7 @@ Version 4.91 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and OpenSSL versions are moved to mainline support from Experimental. + New SMTP transport option "dane_require_tls_ciphers". 3. Feature macros for the compiled-in set of malware scanner interfaces. diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 1fe72be6b..dfb0219cb 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -149,12 +149,13 @@ current_directory string unset transports daemon_smtp_ports string unset main 1.75 pluralised in 4.21 daemon_startup_retries int 9 main 4.52 daemon_startup_sleep time 30s main 4.52 +dane_require_tls_ciphers string* unset smtp 4.91 data string unset redirect 4.00 data_timeout time 5m smtp debug_print string* unset authenticators 4.00 unset routers 4.00 unset transports 2.00 -debug_store boolean false main 4.90 +debug_store boolean false main 4.90 delay_after_cutoff boolean true smtp delay_warning time list 24h main delay_warning_condition string* + main 1.73 @@ -300,10 +301,12 @@ hosts_override boolean false smtp hosts_randomize boolean false manualroute 4.00 false smtp 3.14 hosts_require_auth host list unset smtp 4.00 +hosts_require_dane host list unset smtp 4.91 (4.85 experimental) hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp hosts_require_tls host list unset smtp 3.20 hosts_treat_as_local domain list unset main 1.95 hosts_try_auth host list unset smtp 4.00 +hosts_try_dane host list unset smtp 4.91 (4.85 experimental) hosts_try_fastopen host list unset smtp 4.88 hosts_try_prdr host list unset smtp 4.82 if experimental_prdr ibase_servers string unset main 4.23 -- cgit v1.2.3