[exim-dev] [Bug 2545] Allow disabling autogenerated selfsign…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2545] Allow disabling autogenerated selfsigned cert warning
https://bugs.exim.org/show_bug.cgi?id=2545

Vincent Lefevre <vincent@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vincent@???


--- Comment #9 from Vincent Lefevre <vincent@???> ---
(In reply to Jeremy Harris from comment #1)
> The other side of the coin is: if the system is being used as an SMTP server
> then the admin should realise what they're doing and get a certificate
> generated which is traceable to an authority trusted by the clients.
> Otherwise, the clients get only wire-encryption and do not get authentication.


There are various ways to authenticate the server. In many cases, this can be
done with a self-signed certificate and using the fingerprint. But in any case,
I don't see why a warning is needed *on the server*. What's important is that
the client shows a warning to its user if it cannot authenticate the server
(otherwise an attack is possible, whatever the real server does).

I imagine that if an admin sets up a server to accept such remote connections,
he will test it in the first place, and he will notice that he has to do
something concerning the certificate. So, either the current warning from exim
is useless (since giving no information on what to do), or it should be more
informative to help the admin.

On the distro side, I think that the initial exim setup should be automatic
(for instance, with postfix under Debian, the snakeoil certificate set up by
the ssl-cert package is used, and the authentication can be done by the client
via the fingerprint).

--
You are receiving this mail because:
You are on the CC list for the bug.