diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-10 10:47:05 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-10 15:53:02 +0000 |
| commit | 4243a209fd9499f30bebd58ceaa2d0d9845407ae (patch) | |
| tree | b41720cfb1bb6ed0089d6096835587df8d0f5bdd /doc | |
| parent | f31b1cd64dfcc7e6a8860ee418543949effd517e (diff) | |
| download | exim4-4243a209fd9499f30bebd58ceaa2d0d9845407ae.tar.gz | |
Move connect ACL before TLS-on-connect
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 15 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 9 |
2 files changed, 19 insertions, 5 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9d3813e5a..1b3c2b454 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16193,11 +16193,13 @@ case. That is why the default tries a DNS lookup first. .cindex "host" "rejecting connections from" If this option is set, incoming SMTP calls from the hosts listed are rejected as soon as the connection is made. -This option is mostly obsolete, retained for backward compatibility because +This option is obsolete, and retained only for backward compatibility, because nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming -connections immediately +connections immediately. + .new -(except for tls-on-connect connections). +If the connection is on a TLS-on-connect port then the TCP connection is +just dropped. Otherwise, an SMTP error is sent first. .wen The ability to give an immediate rejection (either by this option or using an @@ -30487,8 +30489,11 @@ accepted by an &%accept%& verb that has a &%message%& modifier, the contents of the message override the banner message that is otherwise specified by the &%smtp_banner%& option. -For tls-on-connect connections, the ACL is run after the TLS connection -is accepted (however, &%host_reject_connection%& is tested before). +.new +For tls-on-connect connections, the ACL is run before the TLS connection +is accepted; if the ACL does not accept then the TCP connection is dropped without +any TLS startup attempt and without any SMTP response being transmitted. +.wen .subsection "The EHLO/HELO ACL" SECID192 diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 5ac91dc99..f8ab5da0c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -66,6 +66,15 @@ JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument included a close-brace character (eg. it itself used an expansion) an error occurred. +JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports, + starting TLS. Previously it was after, meaning that attackers on such + ports had to be screened using the host_reject_connection main config + option. The new sequence aligns better with the STARTTLS behaviour, and + permits defences against crypto-processing load attacks, even though it + is strictly an incompatible change. + Also, avoid sending any SMTP fail response for either the connect ACL + or host_reject_connection, for TLS-on-connect ports. + Exim version 4.96 ----------------- |