| 725c9874 |
1 | |
| 2 | ### main/03_exim4-config_tlsoptions |
| 3 | ################################# |
| 4 | |
| 5 | # TLS/SSL configuration. |
| 6 | # See /usr/share/doc/exim4-base/README.Debian.gz for explanations. |
| 7 | |
| 8 | |
| 9 | .ifdef MAIN_TLS_ENABLE |
| 10 | # Defines what hosts to 'advertise' STARTTLS functionality to. The |
| 11 | # default, *, will advertise to all hosts that connect with EHLO. |
| 12 | .ifndef MAIN_TLS_ADVERTISE_HOSTS |
| 13 | MAIN_TLS_ADVERTISE_HOSTS = * |
| 14 | .endif |
| 15 | tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS |
| 16 | |
| 17 | |
| 18 | # Full paths to Certificate and Private Key. The Private Key file |
| 19 | # must be kept 'secret' and should be owned by root.Debian-exim mode |
| 20 | # 640 (-rw-r-----). exim-gencert takes care of these prerequisites. |
| d2b0a567 |
21 | # Normally, exim4 looks for certificate and key in different files: |
| 22 | # MAIN_TLS_CERTIFICATE - path to certificate file, |
| 23 | # CONFDIR/exim.crt if unset |
| 24 | # MAIN_TLS_PRIVATEKEY - path to private key file |
| 25 | # CONFDIR/exim.key if unset |
| 26 | # You can also configure exim to look for certificate and key in the |
| 27 | # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes |
| 28 | # precedence over all other settings regarding certificate and key file. |
| 29 | .ifdef MAIN_TLS_CERTKEY |
| 30 | tls_certificate = MAIN_TLS_CERTKEY |
| 31 | .else |
| 725c9874 |
32 | .ifndef MAIN_TLS_CERTIFICATE |
| 33 | MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt |
| 34 | .endif |
| 35 | tls_certificate = MAIN_TLS_CERTIFICATE |
| 36 | |
| 37 | .ifndef MAIN_TLS_PRIVATEKEY |
| 38 | MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key |
| 39 | .endif |
| 40 | tls_privatekey = MAIN_TLS_PRIVATEKEY |
| d2b0a567 |
41 | .endif |
| 725c9874 |
42 | |
| d2b0a567 |
43 | # Pointer to the CA Certificates against which client certificates are |
| 725c9874 |
44 | # checked. This is controlled by the `tls_verify_hosts' and |
| 45 | # `tls_try_verify_hosts' lists below. |
| d2b0a567 |
46 | # If you want to check server certificates, you need to add an |
| 47 | # tls_verify_certificates statement to the smtp transport. |
| 725c9874 |
48 | # /etc/ssl/certs/ca-certificates.crt is generated by |
| 49 | # the "ca-certificates" package's update-ca-certificates(8) command. |
| 50 | .ifndef MAIN_TLS_VERIFY_CERTIFICATES |
| 51 | MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ |
| 52 | {/etc/ssl/certs/ca-certificates.crt}\ |
| 53 | {/dev/null}} |
| 54 | .endif |
| 55 | tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES |
| 56 | |
| 57 | |
| 58 | # A list of hosts which are constrained by `tls_verify_certificates'. A host |
| 59 | # that matches `tls_verify_host' must present a certificate that is |
| 60 | # verifyable through `tls_verify_certificates' in order to be accepted as an |
| 61 | # SMTP client. If it does not, the connection is aborted. |
| 62 | .ifdef MAIN_TLS_VERIFY_HOSTS |
| 63 | tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS |
| 64 | .endif |
| 65 | |
| 66 | # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but |
| 67 | # not `tls_verify_hosts'), request a certificate and check it against |
| 68 | # `tls_verify_certificates' but do not abort the connection if there is no |
| 69 | # certificate or if the certificate presented does not match. (This |
| 70 | # condition can be tested for in ACLs through `verify = certificate') |
| 71 | .ifndef MAIN_TLS_TRY_VERIFY_HOSTS |
| 72 | MAIN_TLS_TRY_VERIFY_HOSTS = * |
| 73 | .endif |
| 74 | tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS |
| 75 | |
| 76 | .endif |
HCoop / hcoop / zz_old / config / exim4-hopper.git / blame