Gents,
I have to say that this is all sounding very complicated, please can we
have the old default back? ... its seems to make most sense, to me, to have:
tls_advertise_hosts = <null>
and require users to:
a) turn it on by specifying something else, and
b) put some meaningful certificates in place
This is both logical and convergent as use of TLS is an, optional,
upgrade (choice of the sysadmin) over a base install.
Mike
On 25/04/2016 20:50, Heiko Schlittermann wrote:
> Viktor Dukhovni <exim-users@???> (Mo 25 Apr 2016 17:53:14 CEST):
> …
>> The Postfix behaviour when server-side TLS is administratively
>> enabled, but no certificate is configured is to log warnings and
>> not advertise STARTTLS. Advertising STARTTLS when it is sure to
>> fail is not ideal.
> Probably Exim could implement it in a similiar fashion. But
> it's not as easy as it sounds…
>
>> I can understand the implementation rationale. Exim likely does
> …
>> IIRC, the Exim SMTP server runs indefinitely, and so preloading
>> the cert is not as attractive, since it will get stale.
> The process handling the connection is a child of a long running
> process. This child is responsible for offering the
> STARTTLS. So it's no problem with stale or useless certs.
>
> BUT the tls_*file options are expanded at runtime on request. Some
> variables are set already at TCP connection time or EHLO time, but the
> client may send SNI information during SSL handshake. And the
> tls_{certificate,privatekey} options may contain a $tls_in_sni expando.
> So there is no chance to expand and check the tls_* options beforehand.
>
>> In Postfix, I've opted for providing a script that generates
>> and configures the cert/key and leaving the decision of enabling
>> inbound TLS by default to O/S distributions. They provide the
>> code that installs and activates Postfix, so are in a better
>> position to work with the user to enable or not enable TLS.
> The O/S distros are free to set the default of tls_advertise_hosts
> to an empty string in their configuration templates, and/or provide
> an (automatic) script to generate a self signed cert.
>
> The current flood of warnings is (IMHO) only from legacy installations
> that don't use TLS and are now a victim of the changed built-in default.
>
> Maybe we *could* check if there is at least something configured for
> tls_{certificate,privatekey} and suppress the STARTTLS offer if these
> global options are missing (but continue to issue the warning.)
>
> Jeremy? What do you think?
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
>
>
