On 2024-12-08 Slavko <li...@slavino.sk> wrote: > Package: exim4-config > Severity: normal > Version: 4.98-2
> Ahoj, > Current (4.98-2) config logic for tls_advertise_hosts is wrong, > the conf.d/main/03_exim4-config_tlsoptions contains this: > .ifdef MAIN_TLS_ENABLE > .ifndef MAIN_TLS_ADVERTISE_HOSTS > MAIN_TLS_ADVERTISE_HOSTS = * > .endif > tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS > ... > .else > # Use upstream defaults > .endif > But defaults changed in some version in past, now the default for > tls_advertise_hosts is advertise to all: > tls_advertise_hosts = * > The result is that if MAIN_TLS_ENABLE is set and > MAIN_TLS_ADVERTISE_HOSTS is not set, config (re)sets > tls_advertise_hosts to default. If MAIN_TLS_ENABLE is not set, > the tls_advertise_hosts is leaved in default (again *). > In other words, tls_advertise_hosts is always "*", no matter if > MAIN_TLS_ENABLE is set or not. Well, if you want to change tls_advertise_hosts you should set MAIN_TLS_ADVERTISE_HOSTS. If you do that and also set MAIN_TLS_ENABLE then stuff happens as expected. That is what the ".ifndef MAIN_TLS_ADVERTISE_HOSTS" takes care of. I do agree that is superflous to initiaze 'MAIN_TLS_ADVERTISE_HOSTS = *' by default since this is now the upstream default. > I suggest to change logic to this: > .ifdef MAIN_TLS_ENABLE > # change default if macro is set > .ifdef MAIN_TLS_ADVERTISE_HOSTS > tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS > .endif > ... > .else > # reset default to empty value > tls_advertise_hosts = > .endif I agree with the former but disagree with the latter. See below. > (please add/change comments as appropriate, my English is not good for > that) > By that change, the MAIN_TLS_ADVERTISE_HOSTS macro is used only if set, > otherwise if MAIN_TLS_ENABLE is set it leaves tls_advertise_hosts on > default and if MAIN_TLS_ENABLE is not set the tls_advertise_hosts is > cleared. > That is required, as exim's docs states, that: > + if TLS is not needed (IMO not wanted), the tls_advertise_hosts must be > set to empty value > + tls_advertise_hosts's default value requires tls_certificate to be set > + if tls_certificate is empty (but wanted by tls_advertise_hosts), > self-signed certificate will be generated on every daemon start The thing is that we want to both a) follow upstream's default to enable TLS by default (using on-demand) certificates) and b) not break existing configurations which set MAIN_TLS_ENABLE and expect exim to use the certificates they placed into exim.crt/key. That is the rationale for the current configuration which turned MAIN_TLS_ENABLE into a "use local certs and do enhanced config"-switch in 2019's 4.93~RC1-4. I agree that the option is kind of misnamed. However OTOH I do not think we should further complicate the configuration just to make it easier to disable incoming TLS, that is very much a niche-configuration. How about making the docs more explicit? If one reads between the lines the info there but it is well hidden: | Exim supports incoming opportunistic TLS by using on-connect | autogenerated self-signed certificates. This is not optimal both for | performance reasons and because these certificates cannot be verified by | connecting clients/servers. [...] | To avoid the (small) performance issue and the log message one can | locally create certificates. The exim-gencert script (which requires | openssl) can be helpful for this purpose. It is shipped in | /usr/share/doc/exim4-base/examples/ and takes care of proper access | privileges on the private key file when installing key/certificate in | /etc/exim4/. | | One can also get a certificate from a CA and install the key in | /etc/exim4/exim.key and the certificate in /etc/exim4/exim.crt. | | To enable use of the installed certificates set the macro | MAIN_TLS_ENABLE in a local configuration [...] cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
