https://bugs.exim.org/show_bug.cgi?id=2545
--- Comment #2 from Andreas Metzler <[email protected]> --- (In reply to Jeremy Harris from comment #1) > The other side of the coin is: if the system is being used as an SMTP > server then the admin should realise what they're doing and get a > certificate generated which is traceable to an authority trusted by > the clients. Otherwise, the clients get only wire-encryption and do > not get authentication. Thereby, an attacker who has penetrated this > enclave could manage to spoof being the server, and inspect the mails. > The obnoxious message is there to point out the situation to the admin. > There's no single good answer, I think. I'll leave the bug open for other > comments, but am not currently intending to work on generating a high-quality > automatic security solution. In my opinion this should be done by distros. Hello, I am coming from the distro side. Afaict I have got these choices: * Use exim's default values. --> obnoxious message * Disable TLS by default. I did that until exim's upstream default values changed. I also think encryption with unverifyable certificate is preferable to no TLS. * Use a snakeoil certificate. It would not be too difficult to generate one at install time, _once_. Keeping it working with usable defaults over time (longer keys, nonbroken algorithms) while not overwriting user changes gets hard. This just feels like a complicated fragile way to suppress a warning message. What we cannot do is throw a warning at install time, or ask a set of questions to customize the snakeoil certificate. There are already too many questions and warning at install time. Also I somehow trust that people setting up exim as a real internet facing service are not too stupid. This is a complicated minefield and getting a certificate from letsencrypt and installing it is neither the most important nor the hardest part. I do not think exim needs to provide super sensitive handholding here. cu Andreas -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
