On Tue, 2015-11-03 at 13:51 +0000, Jeremy Harris wrote:
> Should we change the tls_advertise_hosts main-option default
> from none- to all-hosts?
>
> A paper went past recently pointing out that we are not
> secure-by-default. The technical problem is the server certificate.
> Generating one feels more like an install issue, typically
> handled by the distro - who would, presumably, be overriding
> the hardcoded default for tls_advertise_hosts anyway.
>
> But what about self-builders (and, I suppose, the distro
> maintainers)? Should we be encouraging them by making
> this change and then refusing to run (with some appropriate
> error message) if tls_certificate is not set?
>
> Or is this all too far towards advocacy and not something we
> should touch?
>
>
>
> Allegedly, postscript generates a selfsigned server cert
> as part of installation. I've not verified this.
>
> --
> Cheers,
> Jeremy
>
Tricky: Should Exim fail "safe" or fail secure? Are the two mutually
exclusive or as you say is this erring on the side of advocacy. Given
that many web facing things seem to be moving in this direction,
especially browsers, then the advocacy criticism is a less touchy
subject than it used to be.
Generating a self signed certificate at install time could be fraught
with problems: what if there is an insecure OpenSSL/LibreSSL/whatever
library installed and used? Then you get the worst of both worlds.
The cert would be used without warning and potentially lull the
sysadmin into a false sense of security. cf Debian SSH keys some time
back - best of intentions etc. Calling the cert "snake oil" doesn't
stop people from using self signed default certs in Apache or nginx
either. However I'm not completely against this approach provided it
is regularly visited but is that really the best use of mailer daemon
programmer's time? Better to point sysadmins/users at good sources of
information by people who specailize in SSL and use that expertize in
Exim by just linking to the libraries.
I suggest one of two options:
Fail with a panic error, and explanation and how to remedy with perhaps
a link to the docs. Alternatively, carry on start up and log a non
fatal error at regular intervals, with a link to the docs and or a
remedy. A single error at start up IMHO will be glossed over bu then
the advocacy thing comes up again ...
Cheers
Jon
Blueloop Ltd
01460 271055
https://www.blueloop.net
Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England & Wales - 3981322
