.section "Including TLS/SSL encryption support" "SECTinctlsssl"
.cindex "TLS" "including support for TLS"
.cindex "encryption" "including support for"
-.cindex "SUPPORT_TLS"
.cindex "OpenSSL" "building Exim with"
.cindex "GnuTLS" "building Exim with"
-Exim can be built to support encrypted SMTP connections, using the STARTTLS
-command as per RFC 2487. It can also support legacy clients that expect to
+Exim is usually built to support encrypted SMTP connections, using the STARTTLS
+command as per RFC 2487. It can also support clients that expect to
start a TLS session immediately on connection to a non-standard port (see the
&%tls_on_connect_ports%& runtime option and the &%-tls-on-connect%& command
line option).
OpenSSL or GnuTLS library. There is no cryptographic code in Exim itself for
implementing SSL.
+.new
+If you do not want TLS support you should set
+.code
+DISABLE_TLS=yes
+.endd
+in &_Local/Makefile_&.
+.wen
+
If OpenSSL is installed, you should set
.code
-SUPPORT_TLS=yes
+USE_OPENSL=yes
TLS_LIBS=-lssl -lcrypto
.endd
in &_Local/Makefile_&. You may also need to specify the locations of the
OpenSSL library and include files. For example:
.code
-SUPPORT_TLS=yes
+USE_OPENSL=yes
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
.endd
.cindex "pkg-config" "OpenSSL"
If you have &'pkg-config'& available, then instead you can just use:
.code
-SUPPORT_TLS=yes
+USE_OPENSL=yes
USE_OPENSSL_PC=openssl
.endd
.cindex "USE_GNUTLS"
If GnuTLS is installed, you should set
.code
-SUPPORT_TLS=yes
USE_GNUTLS=yes
TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
.endd
in &_Local/Makefile_&, and again you may need to specify the locations of the
library and include files. For example:
.code
-SUPPORT_TLS=yes
USE_GNUTLS=yes
TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt
TLS_INCLUDE=-I/usr/gnu/include
.cindex "pkg-config" "GnuTLS"
If you have &'pkg-config'& available, then instead you can just use:
.code
-SUPPORT_TLS=yes
USE_GNUTLS=yes
USE_GNUTLS_PC=gnutls
.endd
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
-.ifdef _HAVE_DNSSEC
- dnssec_request_domains = *
-.endif
no_more
.endd
The &%domains%& option behaves as per smarthost, above.
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
file is used for &%tls_certificate%&, this variable is not reliable.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
.vitem &$tls_in_peercert$&
.vindex "&$tls_in_peercert$&"
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
file is used, the &$tls_in_ourcert$& variable is unreliable.
-
-&*Note*&: OCSP stapling is not usable under OpenSSL
-when a list of more than one file is used.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
Certificate Authority.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.new
+The macro "_HAVE_TLS_OCSP" will be defined for those versions.
+.wen
.new
For OpenSSL 1.1.0 or later, and
for GnuTLS 3.5.6 or later the expanded value of this option can be a list
of files, to match a list given for the &%tls_certificate%& option.
The ordering of the two lists must match.
+.new
+The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions.
+.wen
.new
The file(s) should be in DER format,
.code
USE_GNUTLS=yes
.endd
-in Local/Makefile, in addition to
-.code
-SUPPORT_TLS=yes
-.endd
-You must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the
+in Local/Makefile
+you must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the
include files and libraries for GnuTLS can be found.
There are some differences in usage when using GnuTLS instead of OpenSSL: