Re: [Exim] tls_verify_certificate

Top Page
Delete this message
Reply to this message
Author: Micropterus Salmoides
Date:  
To: exim-users
Subject: Re: [Exim] tls_verify_certificate
Dr. Philip Hazel <ph10@???> wrote:

>1. I have not made tls_verify_certificate work with Outlook Express or
>Netscape. Nor have I failed. I just haven't tried. I have no access to
>Outlook Express because I don't use MS operating systems since my work
>is all Unix-based.


I'm not as concerned about the operating system as I am the client. A Unix
based end-user client will demonstrate the functionality I am searching for
just as well as a MS or Apple client would. I reference OE _and_ Netscape
because they are probably the two most available end-user clients covering
most of the popular operating systems. Clearly others are available, too.

>2. I have not refused to share my configuration files because I don't
>have any to share! At least not for those two clients.


Again, the particular client itself is not really the point.

>3. I have made tls_verify_certificate work between a client and a
>server Exim. To show you I have nothing to hide, this is what I had
>in the main part of the configuration:
>
>tls_verify_hosts = *
>tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux/cert2}fail}
>tls_log_peerdn
>
>and this is what I had in the transport:
>
>send_to_server:
>   driver = smtp
>   hosts = ::::1 : 127.0.0.1
>   port = 1225
>   allow_localhost
>   tls_certificate = DIR/aux/cert2
>   tls_privatekey = DIR/aux/cert2
>   tls_verify_ciphers = IDEA-CBC-MD5 \
>     ${if eq{$host_address}{127.0.0.1}{:DES-CBC3-SHA}}

>
>The macro DIR points to a specific directory; the macro SERVER is set to
>"server" for the server Exim, and unset for the client Exim. (This is
>part of my test suite for Exim.)


Thank you. Now back to my problem - I'm looking to use x.509 certificates in
authenticating (and protecting my roaming user's server from becoming a spam
relay) my user's access to the SMTP service provided by exim. Using the TLS
functionality, I can require an encrypted session between the server and the
client, but I have been unsuccessful in implementing that one last step that
requires the client to provide a valid certificate back to the server.

Any help from someone that has successfully demonstrated that functionality
with exim would be greatly appreciated.

>4. Oh, and by the way, it's "Dr Hazel" if you want to get formal.


That title is earned and you should be properly addressed. My apologies.

>5. I hope I haven't just responded to a troll.


Actually, I'm a fish. ;-)

Sal

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp