You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
3.2 KiB
Plaintext
86 lines
3.2 KiB
Plaintext
|
|
### main/03_exim4-config_tlsoptions
|
|
#################################
|
|
|
|
# TLS/SSL configuration for exim as an SMTP server.
|
|
# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
|
|
|
|
.ifdef MAIN_TLS_ENABLE
|
|
# Defines what hosts to 'advertise' STARTTLS functionality to. The
|
|
# default, *, will advertise to all hosts that connect with EHLO.
|
|
.ifndef MAIN_TLS_ADVERTISE_HOSTS
|
|
MAIN_TLS_ADVERTISE_HOSTS = *
|
|
.endif
|
|
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
|
|
|
|
|
|
# Full paths to Certificate and Private Key. The Private Key file
|
|
# must be kept 'secret' and should be owned by root.Debian-exim mode
|
|
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
|
|
# Normally, exim4 looks for certificate and key in different files:
|
|
# MAIN_TLS_CERTIFICATE - path to certificate file,
|
|
# CONFDIR/exim.crt if unset
|
|
# MAIN_TLS_PRIVATEKEY - path to private key file
|
|
# CONFDIR/exim.key if unset
|
|
# You can also configure exim to look for certificate and key in the
|
|
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
|
|
# precedence over all other settings regarding certificate and key file.
|
|
.ifdef MAIN_TLS_CERTKEY
|
|
tls_certificate = MAIN_TLS_CERTKEY
|
|
.else
|
|
.ifndef MAIN_TLS_CERTIFICATE
|
|
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
|
|
.endif
|
|
tls_certificate = MAIN_TLS_CERTIFICATE
|
|
|
|
.ifndef MAIN_TLS_PRIVATEKEY
|
|
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
|
|
.endif
|
|
tls_privatekey = MAIN_TLS_PRIVATEKEY
|
|
.endif
|
|
|
|
# Pointer to the CA Certificates against which client certificates are
|
|
# checked. This is controlled by the `tls_verify_hosts' and
|
|
# `tls_try_verify_hosts' lists below.
|
|
# If you want to check server certificates, you need to add an
|
|
# tls_verify_certificates statement to the smtp transport.
|
|
# /etc/ssl/certs/ca-certificates.crt is generated by
|
|
# the "ca-certificates" package's update-ca-certificates(8) command.
|
|
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
|
|
MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
|
|
{/etc/ssl/certs/ca-certificates.crt}\
|
|
{/dev/null}}
|
|
.endif
|
|
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
|
|
|
|
|
|
# A list of hosts which are constrained by `tls_verify_certificates'. A host
|
|
# that matches `tls_verify_host' must present a certificate that is
|
|
# verifyable through `tls_verify_certificates' in order to be accepted as an
|
|
# SMTP client. If it does not, the connection is aborted.
|
|
.ifdef MAIN_TLS_VERIFY_HOSTS
|
|
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
|
|
.endif
|
|
|
|
# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
|
|
# not `tls_verify_hosts'), request a certificate and check it against
|
|
# `tls_verify_certificates' but do not abort the connection if there is no
|
|
# certificate or if the certificate presented does not match. (This
|
|
# condition can be tested for in ACLs through `verify = certificate')
|
|
# By default, this check is done for all hosts. It is known that some
|
|
# clients (including incredimail's version downloadable in February
|
|
# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
|
|
# empty value.
|
|
.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
|
|
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
|
|
.endif
|
|
|
|
.ifdef _HAVE_GNUTLS
|
|
tls_dhparam = historic
|
|
.endif
|
|
|
|
.else
|
|
# Don't advertise TLS if MAIN_TLS_ENABLE is not set.
|
|
tls_advertise_hosts =
|
|
.endif
|