summaryrefslogtreecommitdiffstats
path: root/debian/debconf/conf.d/main/03_exim4-config_tlsoptions
diff options
context:
space:
mode:
Diffstat (limited to 'debian/debconf/conf.d/main/03_exim4-config_tlsoptions')
-rw-r--r--debian/debconf/conf.d/main/03_exim4-config_tlsoptions85
1 files changed, 85 insertions, 0 deletions
diff --git a/debian/debconf/conf.d/main/03_exim4-config_tlsoptions b/debian/debconf/conf.d/main/03_exim4-config_tlsoptions
new file mode 100644
index 0000000..86299e1
--- /dev/null
+++ b/debian/debconf/conf.d/main/03_exim4-config_tlsoptions
@@ -0,0 +1,85 @@
+
+### main/03_exim4-config_tlsoptions
+#################################
+
+# TLS/SSL configuration for exim as an SMTP server.
+# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
+
+.ifdef MAIN_TLS_ENABLE
+# Defines what hosts to 'advertise' STARTTLS functionality to. The
+# default, *, will advertise to all hosts that connect with EHLO.
+.ifndef MAIN_TLS_ADVERTISE_HOSTS
+MAIN_TLS_ADVERTISE_HOSTS = *
+.endif
+tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
+
+
+# Full paths to Certificate and Private Key. The Private Key file
+# must be kept 'secret' and should be owned by root.Debian-exim mode
+# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
+# Normally, exim4 looks for certificate and key in different files:
+# MAIN_TLS_CERTIFICATE - path to certificate file,
+# CONFDIR/exim.crt if unset
+# MAIN_TLS_PRIVATEKEY - path to private key file
+# CONFDIR/exim.key if unset
+# You can also configure exim to look for certificate and key in the
+# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
+# precedence over all other settings regarding certificate and key file.
+.ifdef MAIN_TLS_CERTKEY
+tls_certificate = MAIN_TLS_CERTKEY
+.else
+.ifndef MAIN_TLS_CERTIFICATE
+MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
+.endif
+tls_certificate = MAIN_TLS_CERTIFICATE
+
+.ifndef MAIN_TLS_PRIVATEKEY
+MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
+.endif
+tls_privatekey = MAIN_TLS_PRIVATEKEY
+.endif
+
+# Pointer to the CA Certificates against which client certificates are
+# checked. This is controlled by the `tls_verify_hosts' and
+# `tls_try_verify_hosts' lists below.
+# If you want to check server certificates, you need to add an
+# tls_verify_certificates statement to the smtp transport.
+# /etc/ssl/certs/ca-certificates.crt is generated by
+# the "ca-certificates" package's update-ca-certificates(8) command.
+.ifndef MAIN_TLS_VERIFY_CERTIFICATES
+MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
+ {/etc/ssl/certs/ca-certificates.crt}\
+ {/dev/null}}
+.endif
+tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
+
+
+# A list of hosts which are constrained by `tls_verify_certificates'. A host
+# that matches `tls_verify_host' must present a certificate that is
+# verifyable through `tls_verify_certificates' in order to be accepted as an
+# SMTP client. If it does not, the connection is aborted.
+.ifdef MAIN_TLS_VERIFY_HOSTS
+tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
+.endif
+
+# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
+# not `tls_verify_hosts'), request a certificate and check it against
+# `tls_verify_certificates' but do not abort the connection if there is no
+# certificate or if the certificate presented does not match. (This
+# condition can be tested for in ACLs through `verify = certificate')
+# By default, this check is done for all hosts. It is known that some
+# clients (including incredimail's version downloadable in February
+# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
+# empty value.
+.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
+tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
+.endif
+
+.ifdef _HAVE_GNUTLS
+tls_dhparam = historic
+.endif
+
+.else
+# Don't advertise TLS if MAIN_TLS_ENABLE is not set.
+tls_advertise_hosts =
+.endif