Axel Thimm wrote:
On Tue, Dec 21, 2004 at 09:28:28PM +0100, Enrico Scholz wrote:
dwmw2@xxxxxxxxxxxxx (David Woodhouse) writes:
exim-4.43-3
* Thu Dec 16 2004 David Woodhouse <dwmw2@xxxxxxxxxx> 4.43-3
- Demonstrate SASL auth configuration in default config file
- Enable TLS and provide certificate if necessary
- Don't reject all GB2312 charset mail by default
This enables TLS on incoming and outgoing mail by default -- some
feedback from testing would be appreciated.
To repeat my arguments from bugs #141479, #143392 and #143393:
* the /usr filesystem (inclusive /usr/share/ssl) can be shared between
several hosts; when there are multiple servers, every one would use
the same certificate. This will not work because CN must match the DNS
name
* the sharing happens in >90% of all cases over an unencrypted
network-filesystem (NFS). So, an attacker could easily get the
SSL key.
A better place for the certificates would be somewhere under /etc.
Indeed, I always wondered why the certificates had been put under
/usr/share/ssl and by whom. The FHS had been quite strict on this from
the very beginning.
/etc seems a rather sane place. Perhaps /etc/ssl/?
agree!
the first think what i used to do is
mkdir /etc/ssl
mv /usr/share/ssl/* /etc/ssl/
rm -rf /usr/share/ssl
ln -s /etc/ssl /usr/share/
these are the only configuration files which are not under /etc. why???
--
Levente "Si vis pacem para bellum!"
