conf.d/main/03_exim4-config_tlsoptions

   1
   2 ### main/03_exim4-config_tlsoptions
   3 #################################
   4
   5 # TLS/SSL configuration.
   6 # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
   7
   8
   9 .ifdef MAIN_TLS_ENABLE
  10 # Defines what hosts to 'advertise' STARTTLS functionality to. The
  11 # default, *, will advertise to all hosts that connect with EHLO.
  12 .ifndef MAIN_TLS_ADVERTISE_HOSTS
  13 MAIN_TLS_ADVERTISE_HOSTS = *
  14 .endif
  15 tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
  16
  17
  18 # Full paths to Certificate and Private Key. The Private Key file
  19 # must be kept 'secret' and should be owned by root.Debian-exim mode
  20 # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
  21 .ifndef MAIN_TLS_CERTIFICATE
  22 MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
  23 .endif
  24 tls_certificate = MAIN_TLS_CERTIFICATE
  25
  26 .ifndef MAIN_TLS_PRIVATEKEY
  27 MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
  28 .endif
  29 tls_privatekey = MAIN_TLS_PRIVATEKEY
  30
  31
  32 # Pointer to the CA Certificates against which host certificates are
  33 # checked. This is controlled by the `tls_verify_hosts' and
  34 # `tls_try_verify_hosts' lists below.
  35 # /etc/ssl/certs/ca-certificates.crt is generated by
  36 # the "ca-certificates" package's update-ca-certificates(8) command.
  37 .ifndef MAIN_TLS_VERIFY_CERTIFICATES
  38 MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
  39                                     {/etc/ssl/certs/ca-certificates.crt}\
  40                                     {/dev/null}}
  41 .endif
  42 tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
  43
  44
  45 # A list of hosts which are constrained by `tls_verify_certificates'. A host
  46 # that matches `tls_verify_host' must present a certificate that is
  47 # verifyable through `tls_verify_certificates' in order to be accepted as an
  48 # SMTP client. If it does not, the connection is aborted.
  49 .ifdef MAIN_TLS_VERIFY_HOSTS
  50 tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
  51 .endif
  52
  53 # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
  54 # not `tls_verify_hosts'), request a certificate and check it against
  55 # `tls_verify_certificates' but do not abort the connection if there is no
  56 # certificate or if the certificate presented does not match. (This
  57 # condition can be tested for in ACLs through `verify = certificate')
  58 .ifndef MAIN_TLS_TRY_VERIFY_HOSTS
  59 MAIN_TLS_TRY_VERIFY_HOSTS = *
  60 .endif
  61 tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
  62
  63 .endif