X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/d5c0d8c9374623620844d539d4810da63e9abca1..9669c6e06fa8441557a70ba0759eda19287681ad:/doc/doc-src/FAQ.src?ds=sidebyside diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src index 1d43cbcd2..47b810e5d 100644 --- a/doc/doc-src/FAQ.src +++ b/doc/doc-src/FAQ.src @@ -1861,7 +1861,7 @@ A0117: Here! This is a contribution from a RedHat user, somewhat edited. On ==> adduser exim - (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or + (3) Now you can prepare to build Exim. Go to \?https://www.exim.org?\ or one of its mirrors, or the master ftp site \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download \(exim-4.20.tar.gz)\ or whatever the current release is. Then: @@ -5740,82 +5740,14 @@ Q1701: I am trying to set up an Exim server that uses a self-signed certificate to enable my clients to use TLS. However, clients other than Exim refuse to accept this certificate. What's wrong? -A1701: It seems that some clients require that the certificate presented by - the server be a user (also called ``leaf'' or ``site'') certificate, and not - a self-signed certificate. In this situation, the self-signed - certificate must be installed on the client as a trusted root - \*certification authority*\ (CA), and the certificate used by the server - must be a user certificate signed with that self-signed certificate. +A1701: Don't use a self-signed certificate today. Use a certificate from a + certificate authority, whether your own private certificate authority or + a free CA such as Let's Encrypt. - For information on creating self-signed CA certificates and using them - to sign user certificates, see the \*General implementation overview*\ - chapter of the Open-source PKI book, available online at - \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First, - read this message: - - \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\ - - Then, follow the instructions found on these two (consecutive) pages: - - \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\ - \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\ - - Two points on the PKI Book literature: - - (1) It's assumed that it's okay to use a passphrase-protected key to - encrypt the user/site/leaf certificate. If this isn't acceptable, - you seem to be able to strip out the passphrase as follows: - -==> openssl rsa -in user.key -our user.key.new - mv user.key.new - - This should be done immediately after \(user.key)\ is created. - - (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution, - available at \?http://www.modssl.org/source/?\. - - Having followed the instructions, you end up with the following files: - - (a) \(ca.crt)\ - - This file should be installed into the client software as a trusted - root certification authority. In Windows XP, this can be done as follows: - - \#\#Call the file \(ca_cert.cer)\ - [[br]] - \#\#Double-click on the file - [[br]] - \#\#"Install Certificate"; - [[br]] - \#\#"Next" - [[br]] - \#\#"Place all certificates in the following store" - [[br]] - \#\#"Browse..." - [[br]] - \#\#"Trusted Root Certification Authorities" - [[br]] - \#\#"OK" - [[br]] - \#\#"Next" - [[br]] - \#\#"Finish" - [[br]] - \#\#"Yes" - [[br]] - \#\#"OK" - - (b) \(user.crt)\ and \(user.key)\ - - These files should be installed into the server software. In Exim, this - can be done by adding these lines to the configuration file: - -==> tls_certificate = /usr/local/etc/exim/tls_cert - tls_privatekey = /usr/local/etc/exim/tls_key - - Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\ - and \(tls_key)\ in the appropriate directory. + The exim.org setup uses Let's Encrypt, using the lego tooling and a small + shell wrapper to let the certificates be automatically renewed via cron. + \?https://github.com/xenolf/lego?\ Q1702: How can I arrange for Exim to advertise support for SMTP authentication only when the session is encrypted? @@ -7122,7 +7054,7 @@ C037: An elegant way of using ETRN, which does immediate delivery if the host C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a little bit from Exim 3 and since I still haven't seen a recipe for Mailman with Exim 4, I'm providing my configuration (based heavily on - \?http://www.exim.org/howto/mailman.html?\).'' + \?https://www.exim.org/howto/mailman21.html?\).'' C043: ``Attached is an Exim 4 config file which is designed for an Exim server that is put in front of an Exchange 5.5 system but which verifies the