On Sunday, August 18, 2002, at 02:42 PM, Matt Bernstein wrote:
> At 11:21 -0700 Mark Edwards wrote:
>
>> I tried setting up the -tls-on-connect thing using inetd, as suggested in
>> the man page. Here's my inetd line:
>>
>> smtps stream tcp nowait root /usr/local/sbin/exim
>> exim -tls-on-connect
>
> presumably exim -bs (off the top of my head, RTFM!)?
Well, that did it. Shucks, I should have figured that one myself. For
what its worth, I did RTFM, I was just too dim-witted.
> Use the ACLs. Here are some tips (a.b.c.d is the IP address of external
> interface you want to listen on):
>
>> Thanks for the help. Does putting SSL in the ACL section require that the
>> certificate is installed in the client separately, or will the client get
>> the certificate, then turn around and offer it for the authentication?
>
> I think you might misunderstand how certificates "and all that" work. The
> client may offer a certificate, if requested, and the server may verify it
> if it knows about a CA which has signed it. But, even though I've got it
> to work, I'm no expert! Try the references the Exim spec points to.
But where does the client get the certificate? As it stands now (without
the ACL config), the client gets the certificate from my server and uses it.
Since it is self-signed, I'm the CA.
I guess I'm just asking whether anything else is needed when you add an SSL
requirement in the ACL section, as you outlined. Clients will work as
before, except they will be rejected if they do not use SSL? When the
client offers the certificate, where does it get the certificate from?
I suppose I should just try it once I've got all my users setup to do SSL.
Thanks very much!
--
Mark Edwards
San Francisco, CA
