Use a letsencrypt certificate for the main mail server

[chef.git] / cookbooks / exim / templates / default / exim4.conf.erb

diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index eb317b368323149d09b5bb199fcb4e9a23418973..18544c091746dbd64a3153e3385f0b1c2ee1a49a 100644 (file)
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -148,7 +148,7 @@ tls_advertise_hosts = <; !127.0.0.1 ; !::1
 
 # Configured TLS cipher selection.
 
-tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-ARCFOUR-128:-MD5:-SHA1:-VERS-SSL3.0:%SERVER_PRECEDENCE
+tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%SERVER_PRECEDENCE
 
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
@@ -156,8 +156,13 @@ tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-ARCFOUR-128:-MD5:-SHA1:-VER
 # need the first setting, or in separate files, in which case you need both
 # options.
 
+<% if node[:exim][:certificate_names] -%>
+tls_certificate = /etc/ssl/certs/<%= node[:exim][:certificate_names].first %>.pem
+tls_privatekey = /etc/ssl/private/<%= node[:exim][:certificate_names].first %>.key
+<% else -%>
 tls_certificate = /etc/ssl/certs/exim.pem
 tls_privatekey = /etc/ssl/private/exim.key
+<% end -%>
 
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
@@ -662,7 +667,7 @@ begin transports
 remote_smtp:
   driver = smtp
   multi_domain = false
-  tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-ARCFOUR-128:-MD5:-SHA1:-VERS-SSL3.0:%SERVER_PRECEDENCE
+  tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%LATEST_RECORD_VERSION
 
 
 # This transport is used for handling pipe deliveries generated by alias or