Bug#677826: TLS certificate not used for smarthost transport by default

Sat, 31 Aug 2013 09:10:00 -0700 

>>>>> Ben Hutchings <b...@decadent.org.uk> writes:
>>>>> On Sun, 2012-06-17 at 09:05 +0200, Andreas Metzler wrote:

[…]

 >> The Debian configuration does the same, MAIN_TLS_* sets the changes
 >> the respective main TLS setting with no effect on the transport
 >> option.

 > OK, so how about adding new macros for this purpose?

        FWIW, in my configurations, I’ve complemented the already
        present REMOTE_SMTP_SMARTHOST*_TLS* macros with the following
        (as per the patch MIMEd; it’s for oldstable, but should apply
        cleanly to testing just as well):

REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS

        It /may/ make sense to default them to the respective MAIN_TLS_
        ones in, say, conf.d/main/03_exim4-config_tlsoptions, but I’ve
        simply created a new main/00_local_tls_client (also MIMEd) just
        for them.

        This change allows for X.509-based authentication of smarthost
        “client” MTAs, which seems considerably more secure than the one
        based on IP address matching (IOW, MAIN_RELAY_NETS.)

[…]

-- 
FSF associate member #7257      http://sf-day.org/

--- /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost.orig	2009-03-15 20:57:04.000000000 +0600
+++ /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2013-08-25 21:47:43.000000000 +0700
@@ -15,6 +15,18 @@
         }\
         {} \
       }
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
+  tls_privatekey = REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+  tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
   hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
 .endif

### main/00_local_tls_client
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS =
# REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE = MAIN_TLS_CERTIFICATE
REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY  = MAIN_TLS_PRIVATEKEY
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES = MAIN_TLS_VERIFY_CERTIFICATES
# REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES = 
/etc/ssl/certs/ca-certificates.crt
### main/00_local_tls_client ends here

Reply via email to