Re: default MTA

[Russ Allbery <rra@debian.org>]

Marc Haber <mh+debian-devel@zugschlus.de> writes:

> For e-mail coming in from other clients, with the local exim acting as
> a server?

> Certificates are usually only used in E-Mail when a server authenticates
> itself to a client before the client sends its authentication data. SMTP
> with client certificates is possible, but I have only seen this two
> times in 15 years of running E-Mail servers.

All mail servers I run are configured with TLS certificates because that's
how you encrypt SMTP traffic between servers.  (Self-signed certificates
are fine for that purpose since the point is wire encryption, not
authentication.)  I don't see any reason to send my email in the clear
over the network when there's a simple alternative that's widely
supported.  Among other reasons, any little thing we can do to make life
harder for governments who think they should be able to wiretap network
traffic without a warrant seems like a good idea to me.

I don't know how Exim works in this regard, but for Postfix:

# Enable opportunistic TLS.
smtp_tls_loglevel           = 1
smtp_tls_security_level     = may

# Present a server certificate to clients.
smtpd_tls_loglevel          = 1
smtpd_tls_received_header   = yes
smtpd_tls_security_level    = may
smtpd_tls_cert_file         = /etc/ssl/certs/<hostname>.pem
smtpd_tls_key_file          = /etc/ssl/private/<hostname>.key

will enable opportunistic TLS both sending and receiving without
interfering with one's ability to talk to mail servers that aren't willing
or configured to do TLS.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>