Gents,
I have to say that this is all sounding very complicated, please can we
have the old default back? ... its seems to make most sense, to me, to have:
tls_advertise_hosts = <null>
and require users to:
a) turn it on by specifying something else, and
b) put some meaningful certificates in place
This is both logical and convergent as use of TLS is an, optional,
upgrade (choice of the sysadmin) over a base install.
Mike
On 25/04/2016 20:50, Heiko Schlittermann wrote:
Viktor Dukhovni <[email protected]> (Mo 25 Apr 2016 17:53:14 CEST):
…
The Postfix behaviour when server-side TLS is administratively
enabled, but no certificate is configured is to log warnings and
not advertise STARTTLS. Advertising STARTTLS when it is sure to
fail is not ideal.
Probably Exim could implement it in a similiar fashion. But
it's not as easy as it sounds…
I can understand the implementation rationale. Exim likely does
…
IIRC, the Exim SMTP server runs indefinitely, and so preloading
the cert is not as attractive, since it will get stale.
The process handling the connection is a child of a long running
process. This child is responsible for offering the
STARTTLS. So it's no problem with stale or useless certs.
BUT the tls_*file options are expanded at runtime on request. Some
variables are set already at TCP connection time or EHLO time, but the
client may send SNI information during SSL handshake. And the
tls_{certificate,privatekey} options may contain a $tls_in_sni expando.
So there is no chance to expand and check the tls_* options beforehand.
In Postfix, I've opted for providing a script that generates
and configures the cert/key and leaving the decision of enabling
inbound TLS by default to O/S distributions. They provide the
code that installs and activates Postfix, so are in a better
position to work with the user to enable or not enable TLS.
The O/S distros are free to set the default of tls_advertise_hosts
to an empty string in their configuration templates, and/or provide
an (automatic) script to generate a self signed cert.
The current flood of warnings is (IMHO) only from legacy installations
that don't use TLS and are now a victim of the changed built-in default.
Maybe we *could* check if there is at least something configured for
tls_{certificate,privatekey} and suppress the STARTTLS offer if these
global options are missing (but continue to issue the warning.)
Jeremy? What do you think?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
