From fa5a92c6b7847f6bafbc97d63a3935db4f175e35 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 17 Mar 2014 21:30:57 +0000 Subject: [PATCH] base.m4: Tweakable TLS parameters in `smtp' transport. Now we can designate particular hosts as requiring TLS, with proper certificate checking and maybe client certification. No SMTP client authentication yet. --- base.m4 | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/base.m4 b/base.m4 index 8211506..6c2dc7b 100644 --- a/base.m4 +++ b/base.m4 @@ -345,12 +345,26 @@ m4_define(<:USER_DELIVERY:>, return_path_add = true:>) SECTION(transports)m4_dnl -## A standard transport for remote delivery. Try to do TLS, and don't worry -## too much if it's not very secure: the alternative is sending in plaintext -## anyway. +## A standard transport for remote delivery. By default, try to do TLS, and +## don't worry too much if it's not very secure: the alternative is sending +## in plaintext anyway. But all of this can be overridden from the +## `domains.conf' file. smtp: driver = smtp - tls_require_ciphers = CONF_acceptable_ciphers + hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) + tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail) + tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail) + tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail) + tls_require_ciphers = \ + DOMKV(tls-ciphers, + {${extract {${expand:$value}} \ + { good = CONF_good_ciphers \ + any = CONF_acceptable_ciphers } \ + {$value} \ + {${expand:$value}}}} \ + {CONF_acceptable_ciphers}) + ## Can't set this to an expansion. :-( + m4_dnl tls_dh_min_bits = DOMKV(dh-min-bits, {$value}{1020}) tls_dh_min_bits = 1020 tls_tempfail_tryclear = true -- 2.11.0