# Example for TLS/SSL configuration.

# See /usr/share/doc/exim4-base/README.TLS* for explanations.

# Defines that you want to log what cipher your exim and the peer's mailer
# uses to encrypt the transaction. It also defines you want to log the 'DN'
# (Distinguished Name) of the certificate of the peer.
#
# log_selector = +tls_cipher +tls_peerdn

# Defines what hosts to 'advertise' STARTTLS functionality to. Setting this
# to * will advertise to all hosts that connect with EHLO, and this is a
# good default
#
# tls_advertise_hosts = *

# Defines where your SSL-certificate and SSL-Private Key are located.
# This requires a full path. The files pointed to must be kept 'secret'
# and should be owned my root.Debian-exim mode 640 (-rw-r-----). Usually the
# exim-gencert script takes care of these prerequisites.
#
# tls_certificate = CONFDIR/exim.crt
# tls_privatekey = CONFDIR/exim.key

# A file which contains the certificates of the trusted CAs (Certification
# Authorities) against which host certificates can be checked (through the
# `tls_verify_hosts' and `tls_try_verify_hosts' lists below).
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
#
#tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt

# A list of hosts which are constrained by `tls_verify_certificates'. A host
# that matches `tls_verify_host' must present a certificate that's
# verifyable through `tls_verify_certificates' in order to be accepted as an
# SMTP client. If it does not, the connection is aborted.
#
#tls_verify_hosts = 

# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
# not `tls_verify_hosts'), request a certificate and check it against
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
#
#tls_try_verify_hosts = *
