Commit | Line | Data |
---|---|---|
725c9874 | 1 | |
2 | ### main/03_exim4-config_tlsoptions | |
3 | ################################# | |
4 | ||
d38e06ff | 5 | # TLS/SSL configuration for exim as an SMTP server. |
725c9874 | 6 | # See /usr/share/doc/exim4-base/README.Debian.gz for explanations. |
7 | ||
725c9874 | 8 | .ifdef MAIN_TLS_ENABLE |
9 | # Defines what hosts to 'advertise' STARTTLS functionality to. The | |
10 | # default, *, will advertise to all hosts that connect with EHLO. | |
11 | .ifndef MAIN_TLS_ADVERTISE_HOSTS | |
12 | MAIN_TLS_ADVERTISE_HOSTS = * | |
13 | .endif | |
14 | tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS | |
15 | ||
16 | ||
17 | # Full paths to Certificate and Private Key. The Private Key file | |
18 | # must be kept 'secret' and should be owned by root.Debian-exim mode | |
19 | # 640 (-rw-r-----). exim-gencert takes care of these prerequisites. | |
d2b0a567 | 20 | # Normally, exim4 looks for certificate and key in different files: |
21 | # MAIN_TLS_CERTIFICATE - path to certificate file, | |
22 | # CONFDIR/exim.crt if unset | |
23 | # MAIN_TLS_PRIVATEKEY - path to private key file | |
24 | # CONFDIR/exim.key if unset | |
25 | # You can also configure exim to look for certificate and key in the | |
26 | # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes | |
27 | # precedence over all other settings regarding certificate and key file. | |
28 | .ifdef MAIN_TLS_CERTKEY | |
29 | tls_certificate = MAIN_TLS_CERTKEY | |
30 | .else | |
725c9874 | 31 | .ifndef MAIN_TLS_CERTIFICATE |
32 | MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt | |
33 | .endif | |
34 | tls_certificate = MAIN_TLS_CERTIFICATE | |
35 | ||
36 | .ifndef MAIN_TLS_PRIVATEKEY | |
37 | MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key | |
38 | .endif | |
39 | tls_privatekey = MAIN_TLS_PRIVATEKEY | |
d2b0a567 | 40 | .endif |
725c9874 | 41 | |
d2b0a567 | 42 | # Pointer to the CA Certificates against which client certificates are |
725c9874 | 43 | # checked. This is controlled by the `tls_verify_hosts' and |
44 | # `tls_try_verify_hosts' lists below. | |
d2b0a567 | 45 | # If you want to check server certificates, you need to add an |
46 | # tls_verify_certificates statement to the smtp transport. | |
725c9874 | 47 | # /etc/ssl/certs/ca-certificates.crt is generated by |
48 | # the "ca-certificates" package's update-ca-certificates(8) command. | |
49 | .ifndef MAIN_TLS_VERIFY_CERTIFICATES | |
50 | MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ | |
51 | {/etc/ssl/certs/ca-certificates.crt}\ | |
52 | {/dev/null}} | |
53 | .endif | |
54 | tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES | |
55 | ||
56 | ||
57 | # A list of hosts which are constrained by `tls_verify_certificates'. A host | |
58 | # that matches `tls_verify_host' must present a certificate that is | |
59 | # verifyable through `tls_verify_certificates' in order to be accepted as an | |
60 | # SMTP client. If it does not, the connection is aborted. | |
61 | .ifdef MAIN_TLS_VERIFY_HOSTS | |
62 | tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS | |
63 | .endif | |
64 | ||
65 | # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but | |
66 | # not `tls_verify_hosts'), request a certificate and check it against | |
67 | # `tls_verify_certificates' but do not abort the connection if there is no | |
68 | # certificate or if the certificate presented does not match. (This | |
69 | # condition can be tested for in ACLs through `verify = certificate') | |
d38e06ff CE |
70 | # By default, this check is done for all hosts. It is known that some |
71 | # clients (including incredimail's version downloadable in February | |
72 | # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an | |
73 | # empty value. | |
725c9874 | 74 | .ifndef MAIN_TLS_TRY_VERIFY_HOSTS |
75 | MAIN_TLS_TRY_VERIFY_HOSTS = * | |
76 | .endif | |
77 | tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS | |
78 | ||
79 | .endif |