### main/03_exim4-config_tlsoptions################################## TLS/

1. ### main/03_exim4-config_tlsoptions
2. #################################
3.  
4. # TLS/SSL configuration for exim as an SMTP server.
5. # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
6.  
7.  
8. MAIN_TLS_ENABLE = yes
9.  
10. .ifdef MAIN_TLS_ENABLE
11. # Defines what hosts to 'advertise' STARTTLS functionality to. The
12. # default, *, will advertise to all hosts that connect with EHLO.
13. .ifndef MAIN_TLS_ADVERTISE_HOSTS
14. MAIN_TLS_ADVERTISE_HOSTS = *
15. .endif
16. tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
17.  
18. # Full paths to Certificate and Private Key. The Private Key file
19. # must be kept 'secret' and should be owned by root.Debian-exim mode
20. # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
21. # Normally, exim4 looks for certificate and key in different files:
22. # MAIN_TLS_CERTIFICATE - path to certificate file,
23. # CONFDIR/exim.crt if unset
24. # MAIN_TLS_PRIVATEKEY - path to private key file
25. # CONFDIR/exim.key if unset
26. # You can also configure exim to look for certificate and key in the
27. # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
28. # precedence over all other settings regarding certificate and key file.
29. .ifdef MAIN_TLS_CERTKEY
30. tls_certificate = MAIN_TLS_CERTKEY
31. .else
32. .ifndef MAIN_TLS_CERTIFICATE
33. MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
34. .endif
35. tls_certificate = MAIN_TLS_CERTIFICATE
36.  
37. .ifndef MAIN_TLS_PRIVATEKEY
38. MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
39. .endif
40. tls_privatekey = MAIN_TLS_PRIVATEKEY
41. .endif
42.  
43. # Pointer to the CA Certificates against which client certificates are
44. # checked. This is controlled by the `tls_verify_hosts' and
45. # `tls_try_verify_hosts' lists below.
46. # If you want to check server certificates, you need to add an
47. # tls_verify_certificates statement to the smtp transport.
48. # /etc/ssl/certs/ca-certificates.crt is generated by
49. # the "ca-certificates" package's update-ca-certificates(8) command.
50. .ifndef MAIN_TLS_VERIFY_CERTIFICATES
51. MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
52. {/etc/ssl/certs/ca-certificates.crt}\
53. {/dev/null}}
54. .endif
55. tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
56.  
57. # A list of hosts which are constrained by `tls_verify_certificates'. A host
58. # that matches `tls_verify_host' must present a certificate that is
59. # verifyable through `tls_verify_certificates' in order to be accepted as an
60. # SMTP client. If it does not, the connection is aborted.
61. .ifdef MAIN_TLS_VERIFY_HOSTS
62. tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
63. .endif
64.  
65. # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
66. # not `tls_verify_hosts'), request a certificate and check it against
67. # `tls_verify_certificates' but do not abort the connection if there is no
68. # certificate or if the certificate presented does not match. (This
69. # condition can be tested for in ACLs through `verify = certificate')
70. # By default, this check is done for all hosts. It is known that some
71. # clients (including incredimail's version downloadable in February
72. # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
73. # empty value.
74. .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
75. tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
76. .endif
77.  
78. .endif