Bug#440663: exim4-config: MAIN_TLS_* doesn't actually enable TLS

[John Goerzen]

On Tue September 4 2007 2:01:56 am Marc Haber wrote:

> 2.2.1 says "Exim will use TLS via STARTTLS automatically as clint if
> the server Exim connects to offers it."
>
> Would adding something like this help:
> "This means that you won't need any special configuration if you want
> to use TLS for outgoing mail. However, if your server wants to see a
> client certificate, you need to amend your remote_smtp and/or
> remote_smtp_smarthost transports with a tls_certificate option. The
> certificate presented by the remote host is not checked unless you
> specify a tls_verify_certificate option on the transport."

Yes, that would be an excellent addition.

> It should just work. Using client certificates is secure, but kind of
> exotic (I have never seen a mail system requiring client certificates
> in the wild, and I see a number of new mail systems each day at work).

It is used here for authentication for forwarding.  It seems a nice 
alternative to SMTP AUTH or some other such thing, especially since client 
certificates can have built-in expiration dates.

> An experienced user could have seen that a macro with a MAIN_ prefix
> is probably not being used inside a transport, especially because all
> other macros used in the remote_smtp(_smarthost) transports are
> prefixe REMOTE_SMTP_.

I may not be an experienced user, but it seemed that turning something on in 
MAIN would turn it on everywhere.  I would also greatly appreciate a comment 
in the conf.d/main/ TLS file about this.

-- John