Bug#1089517: exim4-config: TLS setup logic wrong

Slavko linux at slavino.sk
Sun Dec 8 15:39:04 GMT 2024 

Ahoj,

eh, i reply directly, resend to bugreport...

Dňa Sun, 8 Dec 2024 13:41:30 +0100 Andreas Metzler <ametzler at bebt.de>
napísal:

> Well, if you want to change tls_advertise_hosts you should set
> MAIN_TLS_ADVERTISE_HOSTS. If you do that and also set MAIN_TLS_ENABLE
> then stuff happens as expected. That is what the ".ifndef
> MAIN_TLS_ADVERTISE_HOSTS" takes care of.

Do i understand you properly? If i want to disable TLS i have set the
MAIN_TLS_ENABLE? When i leave the MAIN_TLS_ADVERTISE_HOSTS out for now,
it sound rather strange for me ;-)

> b) not break existing configurations which set MAIN_TLS_ENABLE and
> expect exim to use the certificates they placed into exim.crt/key.

But my suggestion doesn't change that, i just skipped the other parts
for simplicity. When MAIN_TLS_ENABLED is not set, then tls_certificate
(and key) remains empty (as no TLS have to be used, but it is), thus
expectation is not fulfilled (but TLS is in use):

    exim -bP tls_certificate tls_privatekey
    tls_certificate = 
    tls_privatekey = 

But IMO i got your point about following exim's defaults (while i
don't think that it is proper in this case) and IMO it can be simple
achieved by this:

    .ifdef MAIN_TLS_ENABLE
    ...
    .else
    #tls_advertise_hosts =
    .ifdef MAIN_TLS_ADVERTISE_HOSTS
    tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
    .endif
    .endif

This will allow to leave MAIN_TLS_ENABLE unset (and remain macro name
meaning) but allow to change exim's default just by setting macro to
empty value:

    MAIN_TLS_ADVERTISE_HOSTS =

But anyway i think, that do not set MAIN_TLS_ENABLE has to be
interpreted as "i don't want TLS at all", not as "i want TLS and
(temporary!) self-signed certificate".

> How about making the docs more explicit?

Good documentation is best ;-) If you want to discuss TLS docs with
me, be free to write me off this bugreport...

regards

-- 
Slavko
https://www.slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digit��lny podpis OpenPGP
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20241208/9c649364/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list