Re: [exim] Locally Sign certificates

Kebba Foon wrote:
> On Tue, 2011-04-05 at 09:22 +0000, W B Hacker wrote:

>> Kebba Foon wrote:

*trimmed*

>
> Am not sure how to make the setting only do MTA to MTA and not with the
> MUA(s),

MTA's submit on port 25.

MUA's submit on port 587 AND NOT port 25. Or should do, as a growing
number of wise ISP block or intercept traffic destined To foreign port 25.

Your own 'other' boxen, say a NAS w/o an assigned set of DNS creds that
needs to transmit its logs, or relay boxen in a 'pool', can be
configured to submit on port 24. That's (part of) what it's for.

Webmail, IMAP & POP do not have to have the same certs as the MTA, but
*can* benefit from use of the same cert IF they are run on the same IP
(different port, of course).

Clients MAY throw a flag otherwise...

> maybe there is a setting to turn this of.

Settings can specify both IP and port ...

FWIW, if you use multiple IP, you can create a dirtree by-IP name and
have Exim get the correct certs for each by using the connection IP as
part of the lookup path.

Or just name the cert files by the IP with which they were associated at
creation-time.

You *can* even require a specific set of matching certs, but that's
probably overkill even for internal use...

> on my config am doing
> tls_advertise_hosts = *

If you advertise it to all-comers (*) ....you really do need to
implement it!

It is also 'generally beneficial' to do the best you can to keep
transfers secure, so there may be servers in your environment that will
NOT connect without it.

Much as I like the idea of forcing that universally, it won't really
work (yet). Still far too many servers that do not support it.

==

Short-circuiting the rest of the discussion, if you are already past
1,000 users, Mike Cardwell's advice w/r low/no cost certs is probably
the way to go.

Self-signed may otherwise get you a largish amount of grief as folks
change MUA, use other webmail clients, borrowed machines, etc.

HTH,

Bill