summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2018-04-20 20:05:53 -0400
committerPhil Pennock <pdp@exim.org>2018-04-20 20:05:53 -0400
commit26739076aecabbede0a75c9554e4562c63bb1616 (patch)
treeaf62385950234ce51a57fd296deb41b065216e6e /src
parentec590f6cd9840b7681b0d6bbb5c1c1b388e7b5c3 (diff)
TLS by default for example smarthost SMTP Transport
And _decent_ TLS at that, with verification.
Diffstat (limited to 'src')
-rw-r--r--src/src/configure.default34
1 files changed, 33 insertions, 1 deletions
diff --git a/src/src/configure.default b/src/src/configure.default
index 79bbc8c30..9247b10fe 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -605,7 +605,7 @@ dnslookup:
# smarthost:
# driver = manualroute
# domains = ! +local_domains
-# transport = remote_smtp
+# transport = smarthost_smtp
# route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
# no_more
@@ -727,6 +727,38 @@ remote_smtp:
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+# This transport is used for delivering messages to a smarthost, if the
+# smarthost router is enabled. This starts from the same basis as
+# "remote_smtp" but then turns on various security options, because
+# we assume that if you're told "use smarthost.example.org as the smarthost"
+# then there will be TLS available, with a verifiable certificate for that
+# hostname, using decent TLS.
+
+smarthost_smtp:
+ driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ multi_domain
+ #
+.ifdef _HAVE_TLS
+ # Comment out any of these which you have to, then file a Support
+ # request with your smarthost provider to get things fixed:
+ hosts_require_tls = *
+ tls_sni = $host
+ tls_verify_hosts = *
+ # As long as tls_verify_hosts is enabled, this won't matter, but if you
+ # have to comment it out then this will at least log whether you succeed
+ # or not:
+ tls_try_verify_hosts = *
+ #
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = HIGH:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = NONE:+VERS-TLS1.2:SECURE192
+.endif
+.endif
+
+
# This transport is used for local delivery to user mailboxes in traditional
# BSD mailbox format. By default it will be run under the uid and gid of the
# local user, and requires the sticky bit to be set on the /var/mail directory.