Re: [exim] tls_advertise_hosts

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Heiko Schlittermann
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] tls_advertise_hosts
Viktor Dukhovni <exim-users@???> (Mo 25 Apr 2016 17:53:14 CEST):

> The Postfix behaviour when server-side TLS is administratively
> enabled, but no certificate is configured is to log warnings and
> not advertise STARTTLS. Advertising STARTTLS when it is sure to
> fail is not ideal.


Probably Exim could implement it in a similiar fashion. But
it's not as easy as it sounds…

> I can understand the implementation rationale. Exim likely does


> IIRC, the Exim SMTP server runs indefinitely, and so preloading
> the cert is not as attractive, since it will get stale.


The process handling the connection is a child of a long running
process. This child is responsible for offering the
STARTTLS. So it's no problem with stale or useless certs.

BUT the tls_*file options are expanded at runtime on request. Some
variables are set already at TCP connection time or EHLO time, but the
client may send SNI information during SSL handshake. And the
tls_{certificate,privatekey} options may contain a $tls_in_sni expando.
So there is no chance to expand and check the tls_* options beforehand.

> In Postfix, I've opted for providing a script that generates
> and configures the cert/key and leaving the decision of enabling
> inbound TLS by default to O/S distributions. They provide the
> code that installs and activates Postfix, so are in a better
> position to work with the user to enable or not enable TLS.


The O/S distros are free to set the default of tls_advertise_hosts
to an empty string in their configuration templates, and/or provide
an (automatic) script to generate a self signed cert.

The current flood of warnings is (IMHO) only from legacy installations
that don't use TLS and are now a victim of the changed built-in default.

Maybe we *could* check if there is at least something configured for
tls_{certificate,privatekey} and suppress the STARTTLS offer if these
global options are missing (but continue to issue the warning.)

Jeremy? What do you think?

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -