[hcoop/debian/exim4.git] / debian / debconf / conf.d / main / 03_exim4-config_tlsoptions


### main/03_exim4-config_tlsoptions
#################################

# TLS/SSL configuration for exim as an SMTP server.
# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.

.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS


# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
# Normally, exim4 looks for certificate and key in different files:
#   MAIN_TLS_CERTIFICATE - path to certificate file,
#                          CONFDIR/exim.crt if unset
#   MAIN_TLS_PRIVATEKEY  - path to private key file
#                          CONFDIR/exim.key if unset
# You can also configure exim to look for certificate and key in the
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
# precedence over all other settings regarding certificate and key file.
.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE

.ifndef MAIN_TLS_PRIVATEKEY
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY
.endif

# Pointer to the CA Certificates against which client certificates are
# checked. This is controlled by the `tls_verify_hosts' and
# `tls_try_verify_hosts' lists below.
# If you want to check server certificates, you need to add an
# tls_verify_certificates statement to the smtp transport.
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
                                    {/etc/ssl/certs/ca-certificates.crt}\
				    {/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES


# A list of hosts which are constrained by `tls_verify_certificates'. A host
# that matches `tls_verify_host' must present a certificate that is
# verifyable through `tls_verify_certificates' in order to be accepted as an
# SMTP client. If it does not, the connection is aborted.
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif

# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
# not `tls_verify_hosts'), request a certificate and check it against
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
# By default, this check is done for all hosts. It is known that some
# clients (including incredimail's version downloadable in February
# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
# empty value.
.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.endif

.ifdef _HAVE_GNUTLS
tls_dhparam = historic
.endif

.else
# Don't advertise TLS if MAIN_TLS_ENABLE is not set.
tls_advertise_hosts =
.endif
Commit	Line	Data
de45f55a AM	1
	2	### main/03_exim4-config_tlsoptions
	3	#################################
	4
	5	# TLS/SSL configuration for exim as an SMTP server.
	6	# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
	7
	8	.ifdef MAIN_TLS_ENABLE
	9	# Defines what hosts to 'advertise' STARTTLS functionality to. The
	10	# default, *, will advertise to all hosts that connect with EHLO.
	11	.ifndef MAIN_TLS_ADVERTISE_HOSTS
	12	MAIN_TLS_ADVERTISE_HOSTS = *
	13	.endif
	14	tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
	15
	16
	17	# Full paths to Certificate and Private Key. The Private Key file
	18	# must be kept 'secret' and should be owned by root.Debian-exim mode
	19	# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
	20	# Normally, exim4 looks for certificate and key in different files:
	21	# MAIN_TLS_CERTIFICATE - path to certificate file,
	22	# CONFDIR/exim.crt if unset
	23	# MAIN_TLS_PRIVATEKEY - path to private key file
	24	# CONFDIR/exim.key if unset
	25	# You can also configure exim to look for certificate and key in the
	26	# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
	27	# precedence over all other settings regarding certificate and key file.
	28	.ifdef MAIN_TLS_CERTKEY
	29	tls_certificate = MAIN_TLS_CERTKEY
	30	.else
	31	.ifndef MAIN_TLS_CERTIFICATE
	32	MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
	33	.endif
	34	tls_certificate = MAIN_TLS_CERTIFICATE
	35
	36	.ifndef MAIN_TLS_PRIVATEKEY
	37	MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
	38	.endif
	39	tls_privatekey = MAIN_TLS_PRIVATEKEY
	40	.endif
	41
	42	# Pointer to the CA Certificates against which client certificates are
	43	# checked. This is controlled by the `tls_verify_hosts' and
	44	# `tls_try_verify_hosts' lists below.
	45	# If you want to check server certificates, you need to add an
	46	# tls_verify_certificates statement to the smtp transport.
	47	# /etc/ssl/certs/ca-certificates.crt is generated by
	48	# the "ca-certificates" package's update-ca-certificates(8) command.
	49	.ifndef MAIN_TLS_VERIFY_CERTIFICATES
	50	MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
	51	{/etc/ssl/certs/ca-certificates.crt}\
	52	{/dev/null}}
	53	.endif
	54	tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
	55
	56
	57	# A list of hosts which are constrained by `tls_verify_certificates'. A host
	58	# that matches `tls_verify_host' must present a certificate that is
	59	# verifyable through `tls_verify_certificates' in order to be accepted as an
	60	# SMTP client. If it does not, the connection is aborted.
	61	.ifdef MAIN_TLS_VERIFY_HOSTS
	62	tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
	63	.endif
	64
65	# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
66	# not `tls_verify_hosts'), request a certificate and check it against
67	# `tls_verify_certificates' but do not abort the connection if there is no
68	# certificate or if the certificate presented does not match. (This
69	# condition can be tested for in ACLs through `verify = certificate')
70	# By default, this check is done for all hosts. It is known that some
71	# clients (including incredimail's version downloadable in February
72	# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
73	# empty value.
74	.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
75	tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
76	.endif
77
0baa7b9d SB	78	.ifdef _HAVE_GNUTLS
	79	tls_dhparam = historic
	80	.endif
	81
	82	.else
	83	# Don't advertise TLS if MAIN_TLS_ENABLE is not set.
	84	tls_advertise_hosts =
de45f55a	85	.endif