Autor: Jeremy Harris Data: Dla: exim-users Temat: [exim] Advertising TLS
Should we change the tls_advertise_hosts main-option default
from none- to all-hosts?
A paper went past recently pointing out that we are not
secure-by-default. The technical problem is the server certificate.
Generating one feels more like an install issue, typically
handled by the distro - who would, presumably, be overriding
the hardcoded default for tls_advertise_hosts anyway.
But what about self-builders (and, I suppose, the distro
maintainers)? Should we be encouraging them by making
this change and then refusing to run (with some appropriate
error message) if tls_certificate is not set?
Or is this all too far towards advocacy and not something we
should touch?
Allegedly, postscript generates a selfsigned server cert
as part of installation. I've not verified this.