# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
+# Normally, exim4 looks for certificate and key in different files:
+# MAIN_TLS_CERTIFICATE - path to certificate file,
+# CONFDIR/exim.crt if unset
+# MAIN_TLS_PRIVATEKEY - path to private key file
+# CONFDIR/exim.key if unset
+# You can also configure exim to look for certificate and key in the
+# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
+# precedence over all other settings regarding certificate and key file.
+.ifdef MAIN_TLS_CERTKEY
+tls_certificate = MAIN_TLS_CERTKEY
+.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY
+.endif
-
-# Pointer to the CA Certificates against which host certificates are
+# Pointer to the CA Certificates against which client certificates are
# checked. This is controlled by the `tls_verify_hosts' and
# `tls_try_verify_hosts' lists below.
+# If you want to check server certificates, you need to add an
+# tls_verify_certificates statement to the smtp transport.
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
.ifndef MAIN_TLS_VERIFY_CERTIFICATES