[exim] Re: Fixing or disabling TLS for internal network host…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Slavko
Date:  
À: exim-users
Sujet: [exim] Re: Fixing or disabling TLS for internal network hosts
Dňa 8. októbra 2023 13:53:31 UTC používateľ u34--- via Exim-users <exim-users@???> napísal:

>Making the whole system treats self signed certificates in the same manner
>as it treats other certificate authorities is distribution dependent.


Self signed certificate is basically CA root certificate directly used
by server. To other systems (clients) can trust it, one just need to
add it into system's or client's trusted CAs storage. That is not hard,
but yes OS/distro depended (and eg. hard to impossible on
Android). The pain part is to mantain that certificate across
multiple clients/hosts after renew.

Using self-signed certificate is good mostly for testing, or for
(very) small amount of hosts. I use own CA for local infrastructure,
that is the same work to deploy, except that CA cert has longer
expiration time, thus happens less often (and i have automated
that).

On debian, recent versions enabled verifying peer certificate by
default for smarthost transport (i am not sure if for dnslookup too).
There is macro defined for that, which defaults to * (all hosts).
Just define that macro with exclusion of your smarthost, eg.

    THAT_MACRO = ! your.smarthost

You can use IP, of course. I cannot copy/paste now, thus find
proper macro name by self.

regards


-- 
Slavko
https://www.slavino.sk/


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/