On 03/04/2019 22:13, Jakob Bohm via openssl-users wrote: > As an Exim user (can already be seen in my mail headers), I always > wondered about the weird way that Exim (according to the docs/spec) > tries to reinit TLS for each message on a connection. > > It seemed very much contrary to protocol, unlike the simple > approach of running TLS in one process, piping the plaintext > (E)SMTP stream to/from a succession of message processing processes, > which can be reforked without breaking the stream and without > ability to steal TLS keys through any security vulnerabilities. http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTmulmessam "for sending using TLS Exim starts an additional proxy process for handling the encryption, piping the unencrypted data stream from and to the delivery processes" -- Cheers, Jeremy
