Bug#949482: exim4-config: Please drop the pointless warning "Warning: No server certificate defined; will use a selfsigned one."

Vincent Lefevre vincent at vinc17.net
Tue Apr 28 21:23:31 BST 2020

On 2020-04-28 19:22:34 +0200, Francesco Poli wrote:
> On Tue, 21 Jan 2020 13:55:20 +0100 Vincent Lefevre <vincent at vinc17.net>
> wrote: [...]
> > Each time I upgrade exim4, I get:
> > 
> > Setting up exim4-config (4.93-9) ...
> > 2020-01-21 13:27:26 Warning: No server certificate defined; will use a selfsigned one.
> >  Suggested action: either install a certificate or change tls_advertise_hosts option
> It is also written to /var/log/exim4/mainlog at *each* queue run (thus
> twice per hour).

Twice per hour by default. I run the queue every 5 minutes in order
to get greylisted mail sent faster. Thus I get this message every
5 minutes.

> I am also under the impression that this warning should be muted, at
> least when
>   $ grep interfaces /etc/exim4/update-exim4.conf.conf 
>   dc_local_interfaces=' ; ::1'
> The rationale is: if my exim only listens to the loopback interface,
> then I don't need a server certificate, since my exim won't accept
> connections from remote clients.
> Does this make sense?

No, I don't think that this is related. It is fine to use a
self-signed certificate even if you are listening broadly.

FYI, I don't have any issue with postfix, which uses

  /etc/ssl/certs/ssl-cert-snakeoil.pem (certificate)
  /etc/ssl/private/ssl-cert-snakeoil.key (private key)

created by the ssl-cert package. For the client, I just have to
provide the fingerprint of the certificate. IMHO, if a warning
is important, it is on the client side (but this should be more
than a warning, the client should refuse the connection).

Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Pkg-exim4-maintainers mailing list