On 25/04/2016 23:08, Heiko Schlittermann wrote:
Mike Tubby <[email protected]> (Mo 25 Apr 2016 23:57:51 CEST):
Gents,
I have to say that this is all sounding very complicated, please can we have
the old default back? ... its seems to make most sense, to me, to have:
tls_advertise_hosts = <null>
and require users to:
a) turn it on by specifying something else, and
b) put some meaningful certificates in place
This is both logical and convergent as use of TLS is an, optional, upgrade
(choice of the sysadmin) over a base install.
Hm. What about setting tls_advertise_hosts to an empty default, but
complain if this option isn't mentioned in the configuration at all?
Then you'll get warnings if if forget to think about TLS, but your
installation will be operational all the time in a compatible way (by
not advertising STARTTLS).
As soon as you agree with this (insecure) default by putting it into your
configuration, the warnings will go away, no matter whay value you put
there.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
Yes, I think that works and would make sense as long as it's a "soft
warning" that occurs if:
a) the binary is built with TLS capability (openssl, GNU TLS,
other), and
b) the variable tls_advertise_hosts is set to empty/null
then when Exim starts it could generate a warning like:
Warning: Exim is capable of use TLS/SSL but it is currently
disabled in configuration - see http://www.exim.org/...
likewise, if the Exim binary can do TLS, and tls_advertise_hosts is non
zero but Exim cannot find any valid certificates this could generate a
warning.
As for the SNI stuff this can only be done a connection time ...
Mike
Warning:
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
