[exim] Advertising TLS

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-users
Betreff: [exim] Advertising TLS
Should we change the tls_advertise_hosts main-option default
from none- to all-hosts?

A paper went past recently pointing out that we are not
secure-by-default. The technical problem is the server certificate.
Generating one feels more like an install issue, typically
handled by the distro - who would, presumably, be overriding
the hardcoded default for tls_advertise_hosts anyway.

But what about self-builders (and, I suppose, the distro
maintainers)? Should we be encouraging them by making
this change and then refusing to run (with some appropriate
error message) if tls_certificate is not set?

Or is this all too far towards advocacy and not something we
should touch?



Allegedly, postscript generates a selfsigned server cert
as part of installation. I've not verified this.

--
Cheers,
Jeremy