Make TLS usage in exim conditional on having the infrastructure to do

[mirror/dsa-puppet.git] / modules / exim / files / common / exim4.conf

diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf
index 019a4e0..3b87319 100644 (file)
--- a/modules/exim/files/common/exim4.conf
+++ b/modules/exim/files/common/exim4.conf
@@ -124,6 +124,16 @@ RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
 
 hostlist reservedaddrs = RESERVEDADDRS
 
+.ifdef USE_TLS
+tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+.ifdef RELAY_HOST
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
+.endif
+.endif
+
 #system_filter = /etc/exim4/filter
 #system_filter_file_transport = address_file
 
@@ -190,6 +200,9 @@ admin_groups = adm
 remote_sort_domains = *.debian.org:*.debian.net
 
 pipelining_advertise_hosts = !*
+.ifdef USE_TLS
+tls_advertise_hosts = *
+.endif
 smtp_enforce_sync = true
 
 log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
@@ -413,7 +426,7 @@ check_recipient:
   defer   !hosts         = +debianhosts
           condition      = ${if >{${eval:$acl_c1}}{0}}
           ratelimit      = 10 / 60m / per_rcpt / $sender_host_address
-          message        = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists))
+          message        = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
 
 .ifdef HAVE_POLICYD
   # Check with policyd-weight - this only works with a version after etch's,
@@ -1117,7 +1130,11 @@ address_reply:
 remote_smtp:
   driver = smtp
   connect_timeout = 1m
-  hosts_avoid_tls = *
+.ifdef USE_TLS
+  tls_tempfail_tryclear = true
+  tls_certificate = /etc/exim4/ssl/thishost.crt
+  tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
 
 # Send the message to procmail
 procmail_pipe: