Re: [exim] tls_advertise_hosts

Top Page
Delete this message
Reply to this message
Author: Mike Tubby
Date:  
To: exim-users
Subject: Re: [exim] tls_advertise_hosts


On 25/04/2016 23:08, Heiko Schlittermann wrote:
> Mike Tubby <mike@???> (Mo 25 Apr 2016 23:57:51 CEST):
>> Gents,
>>
>> I have to say that this is all sounding very complicated, please can we have
>> the old default back? ... its seems to make most sense, to me, to have:
>>
>>      tls_advertise_hosts = <null>

>>
>> and require users to:
>>
>>      a) turn it on by specifying something else, and
>>      b) put some meaningful certificates in place

>>
>> This is both logical and convergent as use of TLS is an, optional, upgrade
>> (choice of the sysadmin) over a base install.
> Hm. What about setting tls_advertise_hosts to an empty default, but
> complain if this option isn't mentioned in the configuration at all?
>
> Then you'll get warnings if if forget to think about TLS, but your
> installation will be operational all the time in a compatible way (by
> not advertising STARTTLS).
>
> As soon as you agree with this (insecure) default by putting it into your
> configuration, the warnings will go away, no matter whay value you put
> there.
>
>      Best regards from Dresden/Germany
>      Viele Grüße aus Dresden
>      Heiko Schlittermann

>


Yes, I think that works and would make sense as long as it's a "soft
warning" that occurs if:

     a) the binary is built with TLS capability (openssl, GNU TLS, 
other), and
     b) the variable tls_advertise_hosts is set to empty/null


then when Exim starts it could generate a warning like:

     Warning: Exim is capable of use TLS/SSL but it is currently 
disabled in configuration - see http://www.exim.org/...


likewise, if the Exim binary can do TLS, and tls_advertise_hosts is non
zero but Exim cannot find any valid certificates this could generate a
warning.

As for the SNI stuff this can only be done a connection time ...


Mike






     Warning: