On Tue, Nov 03, 2015 at 01:51:11PM +0000, Jeremy Harris wrote:
> Should we change the tls_advertise_hosts main-option default
> from none- to all-hosts?
A proposal to encourage email software providers to enable STARTTLS
by default was well received at the M3AAWG meeting a few weeks
back, I think it is by now reasonable to expect TLS to be on when
possible.
So I think it is time for Exim to do that, and will be proposing
the same to Wietse for Postfix (in which neither client-side nor
server-side TLS are currently enabled by default).
Enabling opportunistic TLS in clients is easy. For servers, provided
TLS support is compiled in, and the previous configuration does
not explicitly disable TLS, I'd like to see Postfix upgrades enable
client-side TLS, and generate a self-signed 2048-bit certificate
and enable server-side TLS.
> A paper went past recently pointing out that we are not
> secure-by-default. The technical problem is the server certificate.
> Generating one feels more like an install issue, typically
> handled by the distro - who would, presumably, be overriding
> the hardcoded default for tls_advertise_hosts anyway.
I don't know enough about how Exim interacts with distribution
upgrade processes. In Postfix we and recommend and hope that
distributions installing binary packages run "postfix upgrade-package"
as part of the installation process. Thus I would be tempted to
put certificate generation there.
> But what about self-builders (and, I suppose, the distro
> maintainers)? Should we be encouraging them by making
> this change and then refusing to run (with some appropriate
> error message) if tls_certificate is not set?
I would try to enable by default, but refusing to run is I think
too drastic. Log a warning if TLS is configured but not available,
perhaps for lack of certificates, and run without TLS.
> Or is this all too far towards advocacy and not something we
> should touch?
Your call ultimately.
> Allegedly, postscript generates a selfsigned server cert
> as part of installation. I've not verified this.
If s/postscript/postfix/ then it does not do that as yet in the
upstream code, but some distributions of Postfix might be doing
that.
--
Viktor.
