Bug#780033: exim4-config: Additional options for smarthost-TLS-pinning

M G Berberich debian at oss.m-berberich.de
Sun Mar 8 15:03:37 UTC 2015 

Package: exim4-config
Version: 4.84-8
Severity: wishlist

Dear Maintainer,

please add some options to pin the smarthost certificates.

This patch adds

REMOTE_SMTP_REQUIRE_TLS to prevent smtp-transport to fall back to
	unencryptet transport if TLS failes for some reason

REMOTE_SMTP_SMARTHOST_REQUIRE_TLS to prevent smtp-smarthost-transport
	to fall back to unencryptet transport if TLS failes for some
	reason

REMOTE_SMTP_SMARTHOST_VERIFY_CERTIFICATES to allow the
	smarthost-certificate given in a file instead of using
	system-defaults

---------------------------------------------------------------------------
diff -Naur etc/exim4/conf.d/transport/30_exim4-config_remote_smtp /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp
--- etc/exim4/conf.d/transport/30_exim4-config_remote_smtp      2014-07-22 19:16:03.000000000 +0200
+++ /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp     2015-03-08 15:36:54.496189291 +0100
@@ -45,3 +45,7 @@
 .ifdef REMOTE_SMTP_PRIVATEKEY
 tls_privatekey = REMOTE_SMTP_PRIVATEKEY
 .endif
+.ifdef REMOTE_SMTP_REQUIRE_TLS
+hosts_require_tls = REMOTE_SMTP_REQUIRE_TLS
+.endif
+
diff -Naur etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
--- etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost    2014-07-22 19:16:03.000000000 +0200
+++ /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost   2015-03-08 15:51:48.599668544 +0100
@@ -36,3 +36,9 @@
 .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
 tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
 .endif
+.ifdef REMOTE_SMTP_SMARTHOST_REQUIRE_TLS
+hosts_require_tls = REMOTE_SMTP_SMARTHOST_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_VERIFY_CERTIFICATES
+tls_verify_certificates = REMOTE_SMTP_SMARTHOST_VERIFY_CERTIFICATES
+.endif
---------------------------------------------------------------------------

-- Package-specific info:
Exim version 4.84 #3 built 17-Feb-2015 17:45:49
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='invalid'
dc_local_interfaces='127.0.0.1'
dc_readhost='**************'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=*****************'
#dc_smarthost='**************'
#dc_smarthost='********************'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:invalid

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exim4-config depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.55

exim4-config recommends no packages.

exim4-config suggests no packages.

-- Configuration Files:

/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp changed:
remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_REQUIRE_TLS
hosts_require_tls = REMOTE_SMTP_REQUIRE_TLS
.endif

/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost changed:
remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
        {\
        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
        }\
        {} \
      }
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_SMARTHOST_REQUIRE_TLS
hosts_require_tls = REMOTE_SMTP_SMARTHOST_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_VERIFY_CERTIFICATES
tls_verify_certificates = REMOTE_SMTP_SMARTHOST_VERIFY_CERTIFICATES
.endif

-- debconf information excluded

More information about the Pkg-exim4-maintainers mailing list