dwmw2@xxxxxxxxxxxxx (David Woodhouse) writes: >> exim-4.43-3 >> ----------- >> * Thu Dec 16 2004 David Woodhouse <dwmw2@xxxxxxxxxx> 4.43-3 >> - Demonstrate SASL auth configuration in default config file >> - Enable TLS and provide certificate if necessary >> - Don't reject all GB2312 charset mail by default > > This enables TLS on incoming and outgoing mail by default -- some > feedback from testing would be appreciated. To repeat my arguments from bugs #141479, #143392 and #143393: * the /usr filesystem (inclusive /usr/share/ssl) can be shared between several hosts; when there are multiple servers, every one would use the same certificate. This will not work because CN must match the DNS name * the sharing happens in >90% of all cases over an unencrypted network-filesystem (NFS). So, an attacker could easily get the SSL key. A better place for the certificates would be somewhere under /etc. Enrico
