Make TLS usage in exim conditional on having the infrastructure to do

so.  It's a little racy, so I don't want to make exim whine about it
Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/facts/mta.rb b/facts/mta.rb
index 5d2242a6130006181f59a92c14d11b83f6c191e1..74272b678d8826f6fb6168bf437b115ab0dec75f 100644 (file)
--- a/facts/mta.rb
+++ b/facts/mta.rb
@@ -7,3 +7,13 @@ Facter.add("mta") do
                mta
        end
 end
+
+facter.add("exim_ssl_certs") do
+       setcode do
+               FileTest.exist?("/etc/exim4/ssl/") &&
+               FileTest.exist?("/etc/exim4/ssl/ca.crl") &&
+               FileTest.exist?("/etc/exim4/ssl/thishost.crt") &&
+               FileTest.exist?("/etc/exim4/ssl/ca.crt") &&
+               FileTest.exist?("/etc/exim4/ssl/thishost.key")
+       end
+end

diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf
index 6c4fecb9fe9db2369683ab3740ad994547967551..3b87319b3e2aeebbcb98c2b30255fa7d5fdde8ad 100644 (file)
--- a/modules/exim/files/common/exim4.conf
+++ b/modules/exim/files/common/exim4.conf
@@ -124,6 +124,7 @@ RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
 
 hostlist reservedaddrs = RESERVEDADDRS
 
+.ifdef USE_TLS
 tls_certificate = /etc/exim4/ssl/thishost.crt
 tls_privatekey = /etc/exim4/ssl/thishost.key
 .ifdef RELAY_HOST
@@ -131,6 +132,7 @@ tls_try_verify_hosts = *
 tls_verify_certificates = /etc/exim4/ssl/ca.crt
 tls_crl = /etc/exim4/ssl/ca.crl
 .endif
+.endif
 
 #system_filter = /etc/exim4/filter
 #system_filter_file_transport = address_file
@@ -198,7 +200,9 @@ admin_groups = adm
 remote_sort_domains = *.debian.org:*.debian.net
 
 pipelining_advertise_hosts = !*
+.ifdef USE_TLS
 tls_advertise_hosts = *
+.endif
 smtp_enforce_sync = true
 
 log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
@@ -1126,9 +1130,11 @@ address_reply:
 remote_smtp:
   driver = smtp
   connect_timeout = 1m
+.ifdef USE_TLS
   tls_tempfail_tryclear = true
   tls_certificate = /etc/exim4/ssl/thishost.crt
   tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
 
 # Send the message to procmail
 procmail_pipe:

diff --git a/templates/exim-local-auto.erb b/templates/exim-local-auto.erb
index e2310b37a166509364d55e396bb7d5d96da68212..e3e4f07fe4a625b812c331730c9d61335675cc59 100644 (file)
--- a/templates/exim-local-auto.erb
+++ b/templates/exim-local-auto.erb
@@ -36,3 +36,8 @@ HAVE_USER_QA = 1
 <% else -%>
 # HAVE_USER_QA is undefined
 <% end -%>
+<% if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" -%>
+USE_TLS = 1
+<% else -%>
+# USE_TLS is undefined
+<% end -%>