return_path_add = true:>)
SECTION(transports)m4_dnl
-## A standard transport for remote delivery. Try to do TLS, and don't worry
-## too much if it's not very secure: the alternative is sending in plaintext
-## anyway.
+## A standard transport for remote delivery. By default, try to do TLS, and
+## don't worry too much if it's not very secure: the alternative is sending
+## in plaintext anyway. But all of this can be overridden from the
+## `domains.conf' file.
smtp:
driver = smtp
- tls_require_ciphers = CONF_acceptable_ciphers
+ hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
+ tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
+ tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
+ tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
+ tls_require_ciphers = \
+ DOMKV(tls-ciphers,
+ {${extract {${expand:$value}} \
+ { good = CONF_good_ciphers \
+ any = CONF_acceptable_ciphers } \
+ {$value} \
+ {${expand:$value}}}} \
+ {CONF_acceptable_ciphers})
+ ## Can't set this to an expansion. :-(
+ m4_dnl tls_dh_min_bits = DOMKV(dh-min-bits, {$value}{1020})
tls_dh_min_bits = 1020
tls_tempfail_tryclear = true