Marc Haber <mh+debian-de...@zugschlus.de> writes: > For e-mail coming in from other clients, with the local exim acting as > a server?
> Certificates are usually only used in E-Mail when a server authenticates > itself to a client before the client sends its authentication data. SMTP > with client certificates is possible, but I have only seen this two > times in 15 years of running E-Mail servers. All mail servers I run are configured with TLS certificates because that's how you encrypt SMTP traffic between servers. (Self-signed certificates are fine for that purpose since the point is wire encryption, not authentication.) I don't see any reason to send my email in the clear over the network when there's a simple alternative that's widely supported. Among other reasons, any little thing we can do to make life harder for governments who think they should be able to wiretap network traffic without a warrant seems like a good idea to me. I don't know how Exim works in this regard, but for Postfix: # Enable opportunistic TLS. smtp_tls_loglevel = 1 smtp_tls_security_level = may # Present a server certificate to clients. smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/<hostname>.pem smtpd_tls_key_file = /etc/ssl/private/<hostname>.key will enable opportunistic TLS both sending and receiving without interfering with one's ability to talk to mail servers that aren't willing or configured to do TLS. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8738t1fxqc....@windlord.stanford.edu