Re: [exim] Advertising TLS

Top Page
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] Advertising TLS
My tuppence worth:

I believe, reasonably strongly, that Exim should *not* be creating/managing certificates. It's an MTA, not a piece of PKI tooling. End users have a more or less infinite number of ways to manage their own PKI; it is not our job to provide methods of doing so.

If a packager wishes to provide a configuration for their own distribution which creates and deploys self-signed certs/keys, that's all very well - I am pretty well versed in deriving packages from the RH-provided spec file, which does precisely that when Exim is installed for the first time.

We should be providing clear instructions on how to make opportunistic encryption work, however, and I would say that the option of turning on tls_advertise_hosts to all-hosts by default is a good one, provided that suitably clear instructions on the underlying dependencies are provided. It is not in our purview to second-guess distributions nor packagers, all of whom will have their own defaults with respect to their own ways of handling PKI (or self-signed TLS certificates).

IMO this discussion should actually be over on the exim-dev list, also.

Other opinions are available.

Graeme