[hcoop/zz_old/config/exim4-hopper.git] / conf.d / main / 03_exim4-config_tlsoptions


### main/03_exim4-config_tlsoptions
#################################

# TLS/SSL configuration for exim as an SMTP server.
# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.

.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS


# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
# Normally, exim4 looks for certificate and key in different files:
#   MAIN_TLS_CERTIFICATE - path to certificate file,
#                          CONFDIR/exim.crt if unset
#   MAIN_TLS_PRIVATEKEY  - path to private key file
#                          CONFDIR/exim.key if unset
# You can also configure exim to look for certificate and key in the
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
# precedence over all other settings regarding certificate and key file.
.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE

.ifndef MAIN_TLS_PRIVATEKEY
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY
.endif

# Pointer to the CA Certificates against which client certificates are
# checked. This is controlled by the `tls_verify_hosts' and
# `tls_try_verify_hosts' lists below.
# If you want to check server certificates, you need to add an
# tls_verify_certificates statement to the smtp transport.
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
                                    {/etc/ssl/certs/ca-certificates.crt}\
				    {/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES


# A list of hosts which are constrained by `tls_verify_certificates'. A host
# that matches `tls_verify_host' must present a certificate that is
# verifyable through `tls_verify_certificates' in order to be accepted as an
# SMTP client. If it does not, the connection is aborted.
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif

# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
# not `tls_verify_hosts'), request a certificate and check it against
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
# By default, this check is done for all hosts. It is known that some
# clients (including incredimail's version downloadable in February
# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
# empty value.
.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
MAIN_TLS_TRY_VERIFY_HOSTS = *
.endif
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS

.endif
Commit	Line	Data
725c9874	1
	2	### main/03_exim4-config_tlsoptions
	3	#################################
	4
d38e06ff	5	# TLS/SSL configuration for exim as an SMTP server.
725c9874	6	# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
725c9874	7
725c9874	8	.ifdef MAIN_TLS_ENABLE
	9	# Defines what hosts to 'advertise' STARTTLS functionality to. The
	10	# default, *, will advertise to all hosts that connect with EHLO.
	11	.ifndef MAIN_TLS_ADVERTISE_HOSTS
	12	MAIN_TLS_ADVERTISE_HOSTS = *
	13	.endif
	14	tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
	15
	16
	17	# Full paths to Certificate and Private Key. The Private Key file
	18	# must be kept 'secret' and should be owned by root.Debian-exim mode
	19	# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
d2b0a567	20	# Normally, exim4 looks for certificate and key in different files:
	21	# MAIN_TLS_CERTIFICATE - path to certificate file,
	22	# CONFDIR/exim.crt if unset
	23	# MAIN_TLS_PRIVATEKEY - path to private key file
	24	# CONFDIR/exim.key if unset
	25	# You can also configure exim to look for certificate and key in the
	26	# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
	27	# precedence over all other settings regarding certificate and key file.
	28	.ifdef MAIN_TLS_CERTKEY
	29	tls_certificate = MAIN_TLS_CERTKEY
	30	.else
725c9874	31	.ifndef MAIN_TLS_CERTIFICATE
	32	MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
	33	.endif
	34	tls_certificate = MAIN_TLS_CERTIFICATE
	35
	36	.ifndef MAIN_TLS_PRIVATEKEY
	37	MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
	38	.endif
	39	tls_privatekey = MAIN_TLS_PRIVATEKEY
d2b0a567	40	.endif
725c9874	41
d2b0a567	42	# Pointer to the CA Certificates against which client certificates are
725c9874	43	# checked. This is controlled by the `tls_verify_hosts' and
725c9874	44	# `tls_try_verify_hosts' lists below.
d2b0a567	45	# If you want to check server certificates, you need to add an
d2b0a567	46	# tls_verify_certificates statement to the smtp transport.
725c9874	47	# /etc/ssl/certs/ca-certificates.crt is generated by
	48	# the "ca-certificates" package's update-ca-certificates(8) command.
	49	.ifndef MAIN_TLS_VERIFY_CERTIFICATES
	50	MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
	51	{/etc/ssl/certs/ca-certificates.crt}\
	52	{/dev/null}}
	53	.endif
	54	tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
	55
	56
	57	# A list of hosts which are constrained by `tls_verify_certificates'. A host
	58	# that matches `tls_verify_host' must present a certificate that is
	59	# verifyable through `tls_verify_certificates' in order to be accepted as an
	60	# SMTP client. If it does not, the connection is aborted.
	61	.ifdef MAIN_TLS_VERIFY_HOSTS
	62	tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
	63	.endif
	64
	65	# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
	66	# not `tls_verify_hosts'), request a certificate and check it against
	67	# `tls_verify_certificates' but do not abort the connection if there is no
	68	# certificate or if the certificate presented does not match. (This
	69	# condition can be tested for in ACLs through `verify = certificate')
d38e06ff CE	70	# By default, this check is done for all hosts. It is known that some
	71	# clients (including incredimail's version downloadable in February
	72	# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
	73	# empty value.
725c9874	74	.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
	75	MAIN_TLS_TRY_VERIFY_HOSTS = *
	76	.endif
	77	tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
	78
	79	.endif