Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### main/03_exim4-config_tlsoptions
- #################################
- # TLS/SSL configuration for exim as an SMTP server.
- # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
- MAIN_TLS_ENABLE = yes
- .ifdef MAIN_TLS_ENABLE
- # Defines what hosts to 'advertise' STARTTLS functionality to. The
- # default, *, will advertise to all hosts that connect with EHLO.
- .ifndef MAIN_TLS_ADVERTISE_HOSTS
- MAIN_TLS_ADVERTISE_HOSTS = *
- .endif
- tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
- # Full paths to Certificate and Private Key. The Private Key file
- # must be kept 'secret' and should be owned by root.Debian-exim mode
- # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
- # Normally, exim4 looks for certificate and key in different files:
- # MAIN_TLS_CERTIFICATE - path to certificate file,
- # CONFDIR/exim.crt if unset
- # MAIN_TLS_PRIVATEKEY - path to private key file
- # CONFDIR/exim.key if unset
- # You can also configure exim to look for certificate and key in the
- # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
- # precedence over all other settings regarding certificate and key file.
- .ifdef MAIN_TLS_CERTKEY
- tls_certificate = MAIN_TLS_CERTKEY
- .else
- .ifndef MAIN_TLS_CERTIFICATE
- MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
- .endif
- tls_certificate = MAIN_TLS_CERTIFICATE
- .ifndef MAIN_TLS_PRIVATEKEY
- MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
- .endif
- tls_privatekey = MAIN_TLS_PRIVATEKEY
- .endif
- # Pointer to the CA Certificates against which client certificates are
- # checked. This is controlled by the `tls_verify_hosts' and
- # `tls_try_verify_hosts' lists below.
- # If you want to check server certificates, you need to add an
- # tls_verify_certificates statement to the smtp transport.
- # /etc/ssl/certs/ca-certificates.crt is generated by
- # the "ca-certificates" package's update-ca-certificates(8) command.
- .ifndef MAIN_TLS_VERIFY_CERTIFICATES
- MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
- {/etc/ssl/certs/ca-certificates.crt}\
- {/dev/null}}
- .endif
- tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
- # A list of hosts which are constrained by `tls_verify_certificates'. A host
- # that matches `tls_verify_host' must present a certificate that is
- # verifyable through `tls_verify_certificates' in order to be accepted as an
- # SMTP client. If it does not, the connection is aborted.
- .ifdef MAIN_TLS_VERIFY_HOSTS
- tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
- .endif
- # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
- # not `tls_verify_hosts'), request a certificate and check it against
- # `tls_verify_certificates' but do not abort the connection if there is no
- # certificate or if the certificate presented does not match. (This
- # condition can be tested for in ACLs through `verify = certificate')
- # By default, this check is done for all hosts. It is known that some
- # clients (including incredimail's version downloadable in February
- # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
- # empty value.
- .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
- tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
- .endif
- .endif
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement