Gitweb:
https://git.exim.org/exim.git/commitdiff/26739076aecabbede0a75c9554e4562c63bb1616
Commit: 26739076aecabbede0a75c9554e4562c63bb1616
Parent: ec590f6cd9840b7681b0d6bbb5c1c1b388e7b5c3
Author: Phil Pennock <pdp@???>
AuthorDate: Fri Apr 20 20:05:53 2018 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Fri Apr 20 20:05:53 2018 -0400
TLS by default for example smarthost SMTP Transport
And _decent_ TLS at that, with verification.
---
src/src/configure.default | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/src/configure.default b/src/src/configure.default
index 79bbc8c..9247b10 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -605,7 +605,7 @@ dnslookup:
# smarthost:
# driver = manualroute
# domains = ! +local_domains
-# transport = remote_smtp
+# transport = smarthost_smtp
# route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
# no_more
@@ -727,6 +727,38 @@ remote_smtp:
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+# This transport is used for delivering messages to a smarthost, if the
+# smarthost router is enabled. This starts from the same basis as
+# "remote_smtp" but then turns on various security options, because
+# we assume that if you're told "use smarthost.example.org as the smarthost"
+# then there will be TLS available, with a verifiable certificate for that
+# hostname, using decent TLS.
+
+smarthost_smtp:
+ driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ multi_domain
+ #
+.ifdef _HAVE_TLS
+ # Comment out any of these which you have to, then file a Support
+ # request with your smarthost provider to get things fixed:
+ hosts_require_tls = *
+ tls_sni = $host
+ tls_verify_hosts = *
+ # As long as tls_verify_hosts is enabled, this won't matter, but if you
+ # have to comment it out then this will at least log whether you succeed
+ # or not:
+ tls_try_verify_hosts = *
+ #
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = HIGH:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192
+.endif
+.endif
+
+
# This transport is used for local delivery to user mailboxes in traditional
# BSD mailbox format. By default it will be run under the uid and gid of the
# local user, and requires the sticky bit to be set on the /var/mail directory.