From 4243a209fd9499f30bebd58ceaa2d0d9845407ae Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 10 Dec 2022 10:47:05 +0000 Subject: Move connect ACL before TLS-on-connect --- doc/doc-docbook/spec.xfpt | 15 ++++++++++----- doc/doc-txt/ChangeLog | 9 +++++++++ 2 files changed, 19 insertions(+), 5 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9d3813e5a..1b3c2b454 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16193,11 +16193,13 @@ case. That is why the default tries a DNS lookup first. .cindex "host" "rejecting connections from" If this option is set, incoming SMTP calls from the hosts listed are rejected as soon as the connection is made. -This option is mostly obsolete, retained for backward compatibility because +This option is obsolete, and retained only for backward compatibility, because nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming -connections immediately +connections immediately. + .new -(except for tls-on-connect connections). +If the connection is on a TLS-on-connect port then the TCP connection is +just dropped. Otherwise, an SMTP error is sent first. .wen The ability to give an immediate rejection (either by this option or using an @@ -30487,8 +30489,11 @@ accepted by an &%accept%& verb that has a &%message%& modifier, the contents of the message override the banner message that is otherwise specified by the &%smtp_banner%& option. -For tls-on-connect connections, the ACL is run after the TLS connection -is accepted (however, &%host_reject_connection%& is tested before). +.new +For tls-on-connect connections, the ACL is run before the TLS connection +is accepted; if the ACL does not accept then the TCP connection is dropped without +any TLS startup attempt and without any SMTP response being transmitted. +.wen .subsection "The EHLO/HELO ACL" SECID192 diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 5ac91dc99..f8ab5da0c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -66,6 +66,15 @@ JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument included a close-brace character (eg. it itself used an expansion) an error occurred. +JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports, + starting TLS. Previously it was after, meaning that attackers on such + ports had to be screened using the host_reject_connection main config + option. The new sequence aligns better with the STARTTLS behaviour, and + permits defences against crypto-processing load attacks, even though it + is strictly an incompatible change. + Also, avoid sending any SMTP fail response for either the connect ACL + or host_reject_connection, for TLS-on-connect ports. + Exim version 4.96 ----------------- -- cgit v1.2.1