Re: [Exim] TLS Problem

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Peter Mathiasson
CC: exim-users
Subject: Re: [Exim] TLS Problem
On Wed, 12 Dec 2001, Peter Mathiasson wrote:

> If I try to send an email to this host using another machine, this time
> with exim as a client, the message does not get sent unless the client
> certificate is located /etc/exim/certs.d on the server, that is it works
> as promised if the certificate is available.
>
> If the TLS session fails my exim client refuses to send the mail
> unencrypted even though I have not specified the server host in the
> host_require_tls option.


It depends on what you mean by "TLS session fails". If the server
rejects the "STARTTLS" command, Exim will attempt to send the message
unencrypted (in the absence of hosts_require_tls). However, if STARTTLS
is accepted, but there is a problem in setting up the session (which
will happen if the certificate doesn't match, but can also be caused by
other problems), Exim gives up, because the state of the SMTP connection
is undefined. (The server end doesn't know what the state is either.)

In Exim 4, there is more flexibility. You can specify, in the server,
that the TLS connection should continue, even if the client's
certificate is not one of those you expect. This state can be detected,
and, for example, you can configure Exim so that it allows relaying if a
correct certificate is supplied, but only accepts for local delivery
otherwise (but still over an encrypted connection).

Exim 4 is currently available for alpha testing in the Testing directory
on the ftp site. There will be a new alpha either just before Christmas,
or early in the New Year.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.