Bug#1089517: exim4-config: TLS setup logic wrong

Andreas Metzler ametzler at bebt.de
Sun Dec 8 12:41:30 GMT 2024 

On 2024-12-08 Slavko <linux at slavino.sk> wrote:
> Package: exim4-config
> Severity: normal
> Version: 4.98-2

> Ahoj,

> Current (4.98-2) config logic for tls_advertise_hosts is wrong,
> the conf.d/main/03_exim4-config_tlsoptions contains this:

>     .ifdef MAIN_TLS_ENABLE
>     .ifndef MAIN_TLS_ADVERTISE_HOSTS
>     MAIN_TLS_ADVERTISE_HOSTS = *
>     .endif
>     tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS

>     ...

>     .else
>     # Use upstream defaults
>    .endif

> But defaults changed in some version in past, now the default for
> tls_advertise_hosts is advertise to all:

>     tls_advertise_hosts = *

> The result is that if MAIN_TLS_ENABLE is set and
> MAIN_TLS_ADVERTISE_HOSTS is not set, config (re)sets
> tls_advertise_hosts to default. If MAIN_TLS_ENABLE is not set,
> the tls_advertise_hosts is leaved in default (again *).

> In other words, tls_advertise_hosts is always "*", no matter if
> MAIN_TLS_ENABLE is set or not.

Well, if you want to change tls_advertise_hosts you should set
MAIN_TLS_ADVERTISE_HOSTS. If you do that and also set MAIN_TLS_ENABLE
then stuff happens as expected. That is what the ".ifndef
MAIN_TLS_ADVERTISE_HOSTS" takes care of.

I do agree that is superflous to initiaze 'MAIN_TLS_ADVERTISE_HOSTS = *'
by default since this is now the upstream default.

> I suggest to change logic to this:

>     .ifdef MAIN_TLS_ENABLE
>     # change default if macro is set
>     .ifdef MAIN_TLS_ADVERTISE_HOSTS
>     tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
>     .endif

>     ...

>     .else
>     # reset default to empty value
>     tls_advertise_hosts =
>    .endif

I agree with the former but disagree with the latter. See below.

> (please add/change comments as appropriate, my English is not good for
> that)

> By that change, the MAIN_TLS_ADVERTISE_HOSTS macro is used only if set,
> otherwise if MAIN_TLS_ENABLE is set it leaves tls_advertise_hosts on
> default and if MAIN_TLS_ENABLE is not set the tls_advertise_hosts is
> cleared.

> That is required, as exim's docs states, that:

> + if TLS is not needed (IMO not wanted), the tls_advertise_hosts must be
>   set to empty value
> + tls_advertise_hosts's default value requires tls_certificate to be set
> + if tls_certificate is empty (but wanted by tls_advertise_hosts),
>   self-signed certificate will be generated on every daemon start

The thing is that we want to both
a) follow upstream's default to enable TLS by default (using
on-demand) certificates) and
b) not break existing configurations which set MAIN_TLS_ENABLE and
expect exim to use the certificates they placed into exim.crt/key.

That is the rationale for the current configuration which turned
MAIN_TLS_ENABLE into a "use local certs and do enhanced config"-switch
in 2019's 4.93~RC1-4. I agree that the option is kind of misnamed.
However OTOH I do not think we should further complicate the
configuration  just to make it easier to disable incoming TLS, that is
very much a niche-configuration.

How about making the docs more explicit? If one reads between the lines
the info there but it is well hidden:
| Exim supports incoming opportunistic TLS by using on-connect
| autogenerated self-signed certificates. This is not optimal both for
| performance reasons and because these certificates cannot be verified by
| connecting clients/servers.
[...]
| To avoid the (small) performance issue and the log message one can
| locally create certificates. The exim-gencert script (which requires
| openssl) can be helpful for this purpose. It is shipped in
| /usr/share/doc/exim4-base/examples/ and takes care of proper access
| privileges on the private key file when installing key/certificate in
| /etc/exim4/.
| 
| One can also get a certificate from a CA and install the key in
| /etc/exim4/exim.key and the certificate in /etc/exim4/exim.crt.
| 
| To enable use of the installed certificates set the macro
| MAIN_TLS_ENABLE in a local configuration [...]

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list