On Tue, Dec 21, 2004 at 09:28:28PM +0100, Enrico Scholz wrote: > dwmw2@xxxxxxxxxxxxx (David Woodhouse) writes: > >> exim-4.43-3 > >> * Thu Dec 16 2004 David Woodhouse <dwmw2@xxxxxxxxxx> 4.43-3 > >> - Demonstrate SASL auth configuration in default config file > >> - Enable TLS and provide certificate if necessary > >> - Don't reject all GB2312 charset mail by default > > > > This enables TLS on incoming and outgoing mail by default -- some > > feedback from testing would be appreciated. > > To repeat my arguments from bugs #141479, #143392 and #143393: > > * the /usr filesystem (inclusive /usr/share/ssl) can be shared between > several hosts; when there are multiple servers, every one would use > the same certificate. This will not work because CN must match the DNS > name > > * the sharing happens in >90% of all cases over an unencrypted > network-filesystem (NFS). So, an attacker could easily get the > SSL key. > > A better place for the certificates would be somewhere under /etc. Indeed, I always wondered why the certificates had been put under /usr/share/ssl and by whom. The FHS had been quite strict on this from the very beginning. /etc seems a rather sane place. Perhaps /etc/ssl/? -- Axel.Thimm at ATrpms.net
Attachment:
pgpxA7cJj6mM3.pgp
Description: PGP signature
