exim4 tsl

1.  
2.  
3. output:
4.  
5. /etc/init.d/exim4 restart
6. Stopping MTA for restart: exim4_listener.
7. Restarting MTA: exim4.
8. root@Duizend:/etc/exim4/conf.d/main# exim4 -bP | grep tls_
9.  
10. no_gnutls_compat_mode
11. gnutls_require_kx =
12. gnutls_require_mac =
13. gnutls_require_protocols =
14. log_selector = +tls_peerdn
15. received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}
16. tls_advertise_hosts =
17. tls_certificate =
18. tls_crl =
19. tls_dhparam =
20. tls_on_connect_ports =
21. tls_privatekey =
22. no_tls_remember_esmtp
23. tls_require_ciphers =
24. tls_try_verify_hosts =
25. tls_verify_certificates =
26. tls_verify_hosts =
27.  
28. -----------------------------------------------------------------------
29.  
30. THE 03_exim4-config_tlsoptions file
31.  
32.  
33. ### main/03_exim4-config_tlsoptions
34. #################################
35.  
36. # TLS/SSL configuration for exim as an SMTP server.
37. # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
38.  
39.  
40. .ifdef MAIN_TLS_ENABLE = 1
41. # Defines what hosts to 'advertise' STARTTLS functionality to. The
42. # default, *, will advertise to all hosts that connect with EHLO.
43. .ifndef MAIN_TLS_ADVERTISE_HOSTS
44. MAIN_TLS_ADVERTISE_HOSTS = *
45. .endif
46. tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
47.  
48.  
49. # Full paths to Certificate and Private Key. The Private Key file
50. # must be kept 'secret' and should be owned by root.Debian-exim mode
51. # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
52. # Normally, exim4 looks for certificate and key in different files:
53. # MAIN_TLS_CERTIFICATE - path to certificate file,
54. # CONFDIR/exim.crt if unset
55. # MAIN_TLS_PRIVATEKEY - path to private key file
56. # CONFDIR/exim.key if unset
57. # You can also configure exim to look for certificate and key in the
58. # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
59. # precedence over all other settings regarding certificate and key file.
60. .ifdef MAIN_TLS_CERTKEY
61. tls_certificate = MAIN_TLS_CERTKEY
62. .else
63. .ifndef MAIN_TLS_CERTIFICATE
64. MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
65. .endif
66. tls_certificate = MAIN_TLS_CERTIFICATE
67.  
68. .ifndef MAIN_TLS_PRIVATEKEY
69. MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
70. .endif
71. tls_privatekey = MAIN_TLS_PRIVATEKEY
72. .endif
73.  
74. # Pointer to the CA Certificates against which client certificates are
75. # checked. This is controlled by the `tls_verify_hosts' and
76. # `tls_try_verify_hosts' lists below.
77. # If you want to check server certificates, you need to add an
78. # tls_verify_certificates statement to the smtp transport.
79. # /etc/ssl/certs/ca-certificates.crt is generated by
80. # the "ca-certificates" package's update-ca-certificates(8) command.
81. .ifndef MAIN_TLS_VERIFY_CERTIFICATES
82. MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
83. {/etc/ssl/certs/ca-certificates.crt}\
84. {/dev/null}}
85. .endif
86. tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
87.  
88.  
89. # A list of hosts which are constrained by `tls_verify_certificates'. A host
90. # that matches `tls_verify_host' must present a certificate that is
91. # verifyable through `tls_verify_certificates' in order to be accepted as an
92. # SMTP client. If it does not, the connection is aborted.
93. .ifdef MAIN_TLS_VERIFY_HOSTS
94. tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
95. .endif
96.  
97. # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
98. # not `tls_verify_hosts'), request a certificate and check it against
99. # `tls_verify_certificates' but do not abort the connection if there is no
100. # certificate or if the certificate presented does not match. (This
101. # condition can be tested for in ACLs through `verify = certificate')
102. # By default, this check is done for all hosts. It is known that some
103. # clients (including incredimail's version downloadable in February
104. # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
105. # empty value.
106. .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
107. tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
108. .endif
109.  
110. .endif
111.  
112.  
113. -----------------------------------------------------------------------