Package: exim4-config
Severity: normal
Version: 4.98-2
Ahoj,
Current (4.98-2) config logic for tls_advertise_hosts is wrong,
the conf.d/main/03_exim4-config_tlsoptions contains this:
.ifdef MAIN_TLS_ENABLE
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
...
.else
# Use upstream defaults
.endif
But defaults changed in some version in past, now the default for
tls_advertise_hosts is advertise to all:
tls_advertise_hosts = *
The result is that if MAIN_TLS_ENABLE is set and
MAIN_TLS_ADVERTISE_HOSTS is not set, config (re)sets
tls_advertise_hosts to default. If MAIN_TLS_ENABLE is not set,
the tls_advertise_hosts is leaved in default (again *).
In other words, tls_advertise_hosts is always "*", no matter if
MAIN_TLS_ENABLE is set or not.
I suggest to change logic to this:
.ifdef MAIN_TLS_ENABLE
# change default if macro is set
.ifdef MAIN_TLS_ADVERTISE_HOSTS
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
.endif
...
.else
# reset default to empty value
tls_advertise_hosts =
.endif
(please add/change comments as appropriate, my English is not good for
that)
By that change, the MAIN_TLS_ADVERTISE_HOSTS macro is used only if set,
otherwise if MAIN_TLS_ENABLE is set it leaves tls_advertise_hosts on
default and if MAIN_TLS_ENABLE is not set the tls_advertise_hosts is
cleared.
That is required, as exim's docs states, that:
+ if TLS is not needed (IMO not wanted), the tls_advertise_hosts must be
set to empty value
+ tls_advertise_hosts's default value requires tls_certificate to be set
+ if tls_certificate is empty (but wanted by tls_advertise_hosts),
self-signed certificate will be generated on every daemon start
regards
--
Slavko
https://www.slavino.sk
