debian/debconf/conf.d/main/03_exim4-config_tlsoptions

   1
   2 ### main/03_exim4-config_tlsoptions
   3 #################################
   4
   5 # TLS/SSL configuration for exim as an SMTP server.
   6 # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
   7
   8 .ifdef MAIN_TLS_ENABLE
   9 # Defines what hosts to 'advertise' STARTTLS functionality to. The
  10 # default, *, will advertise to all hosts that connect with EHLO.
  11 .ifndef MAIN_TLS_ADVERTISE_HOSTS
  12 MAIN_TLS_ADVERTISE_HOSTS = *
  13 .endif
  14 tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
  15
  16
  17 # Full paths to Certificate and Private Key. The Private Key file
  18 # must be kept 'secret' and should be owned by root.Debian-exim mode
  19 # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
  20 # Normally, exim4 looks for certificate and key in different files:
  21 #   MAIN_TLS_CERTIFICATE - path to certificate file,
  22 #                          CONFDIR/exim.crt if unset
  23 #   MAIN_TLS_PRIVATEKEY  - path to private key file
  24 #                          CONFDIR/exim.key if unset
  25 # You can also configure exim to look for certificate and key in the
  26 # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
  27 # precedence over all other settings regarding certificate and key file.
  28 .ifdef MAIN_TLS_CERTKEY
  29 tls_certificate = MAIN_TLS_CERTKEY
  30 .else
  31 .ifndef MAIN_TLS_CERTIFICATE
  32 MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
  33 .endif
  34 tls_certificate = MAIN_TLS_CERTIFICATE
  35
  36 .ifndef MAIN_TLS_PRIVATEKEY
  37 MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
  38 .endif
  39 tls_privatekey = MAIN_TLS_PRIVATEKEY
  40 .endif
  41
  42 # Pointer to the CA Certificates against which client certificates are
  43 # checked. This is controlled by the `tls_verify_hosts' and
  44 # `tls_try_verify_hosts' lists below.
  45 # If you want to check server certificates, you need to add an
  46 # tls_verify_certificates statement to the smtp transport.
  47 # /etc/ssl/certs/ca-certificates.crt is generated by
  48 # the "ca-certificates" package's update-ca-certificates(8) command.
  49 .ifndef MAIN_TLS_VERIFY_CERTIFICATES
  50 MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
  51                                     {/etc/ssl/certs/ca-certificates.crt}\
  52                                     {/dev/null}}
  53 .endif
  54 tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
  55
  56
  57 # A list of hosts which are constrained by `tls_verify_certificates'. A host
  58 # that matches `tls_verify_host' must present a certificate that is
  59 # verifyable through `tls_verify_certificates' in order to be accepted as an
  60 # SMTP client. If it does not, the connection is aborted.
  61 .ifdef MAIN_TLS_VERIFY_HOSTS
  62 tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
  63 .endif
  64
  65 # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
  66 # not `tls_verify_hosts'), request a certificate and check it against
  67 # `tls_verify_certificates' but do not abort the connection if there is no
  68 # certificate or if the certificate presented does not match. (This
  69 # condition can be tested for in ACLs through `verify = certificate')
  70 # By default, this check is done for all hosts. It is known that some
  71 # clients (including incredimail's version downloadable in February
  72 # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
  73 # empty value.
  74 .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
  75 tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
  76 .endif
  77
  78 .ifdef _HAVE_GNUTLS
  79 tls_dhparam = historic
  80 .endif
  81
  82 .else
  83 # Don't advertise TLS if MAIN_TLS_ENABLE is not set.
  84 tls_advertise_hosts =
  85 .endif