</para>
<para>
This means that you will not need any special configuration if
- you want to use TLS for outgoing mail. However, if your
+ you want to use TLS for outgoing mail. However, to enforce
+ TLS and successful certificate verification, a few things
+ need to be configured.
+ </para>
+ <para>
+ To enforce TLS and prevent fallback to unencrypted
+ connections, ensure that hosts_require_tls = * is in effect on
+ the respective transport. For the remote_smtp_smarthost
+ transport, this setting can be controlled via the
+ REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS macro.
+ </para>
+ <para>
+ The certificate presented by the remote host is checked
+ against the system CA certificate store
+ (<filename>/etc/ssl/certs/</filename>) and the verification
+ result is logged (CV=...). However successful certificate
+ verification is <emphasis>not enforced</emphasis> by default.
+ This can be changed by setting tls_verify_hosts = * on the
+ respective transport.
+ </para>
+ <para>
+ Another possibility would be to use DANE for certificate
+ verification. This requires support on the server side and
+ a resolver with DNSSEC support on the client side.
+ </para>
+ <para>
+ If your
server setup mandates the use of client certificates, you
need to amend your remote_smtp and/or remote_smtp_smarthost
transports with a tls_certificate option. This is not
commonly needed.
</para>
- <para>
- The certificate
- presented by the remote host is not checked unless you
- specify a tls_verify_certificate option on the transport.
- </para>
<para id="tls_client_certicate">
To make exim send a TLS certificate to the remote host set
REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY or for