diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2016-05-04 14:48:41 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2016-05-04 14:48:41 +0100 |
| commit | 23bb69826c8d600ce4a268ad27e14b0390e540c8 (patch) | |
| tree | 24fb48e5aba9e8fa2625b106ca07f05720e59bb0 /doc | |
| parent | 789f8a4f4046120b7ae2aafa45f7f45c3ae4c8f5 (diff) | |
TLS: when tls_certificates unset, generate a selfsigned cert
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 24 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 |
2 files changed, 21 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ddb0001a5..ba32403d6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16843,8 +16843,8 @@ of the STARTTLS command to set up an encrypted session is advertised in response to EHLO only to those client hosts that match this option. See chapter &<<CHAPTLS>>& for details of Exim's support for TLS. Note that the default value requires that a certificate be supplied -using the &%tls_certificate%& option. If no certificate is available then -the &%tls_advertise_hosts%& option should be set empty. +using the &%tls_certificate%& option. If TLS support for incoming connections +is not required the &%tls_advertise_hosts%& option should be set empty. .option tls_certificate main string&!! unset @@ -16865,6 +16865,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in &<<SECTtlssni>>& will be re-expanded. +.new +If this option is unset or empty a fresh self-signed certificate will be +generated for every connection. +.wen + .option tls_crl main string&!! unset .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" @@ -26958,10 +26963,17 @@ with the error If a STARTTLS command is issued within an existing TLS session, it is rejected with a 554 error code. -To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to -match some hosts. You can, of course, set it to * to match all hosts. -However, this is not all you need to do. TLS sessions to a server won't work -without some further configuration at the server end. +To enable TLS operations on a server, the &%tls_advertise_hosts%& option +must be set to match some hosts. The default is * which matches all hosts. + +.new +If this is all you do, TLS encryption will be enabled but not authentication - +meaning that the peer has no assurance it is actually you he is talking to. +You gain protection from a passive sniffer listening on the wire but not +from someone able to intercept the communication. +.wen + +Further protection requires some further configuration at the server end. It is rumoured that all existing clients that support TLS/SSL use RSA encryption. To make this work you need to set, in the server, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 43009011f..272176cc8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -23,6 +23,9 @@ JH/03 Upgrade security requirements imposed for hosts_try_dane: previously JH/04 Bug 1810: make continued-use of an open smtp transport connection non-noisy when a race steals the message being considered. +JH/05 If main configuration option tls_certificate is unset, generate a + selfsigned certificate for inbound TLS connections. + Exim version 4.87 ----------------- |