Author: Matt Bernstein Date: To: Mark Edwards CC: exim-users Subject: Re: [Exim] 2 SSL questions
At 14:53 -0700 Mark Edwards wrote:
>> I think you might misunderstand how certificates "and all that" work. The
>> client may offer a certificate, if requested, and the server may verify it
>> if it knows about a CA which has signed it. But, even though I've got it
>> to work, I'm no expert! Try the references the Exim spec points to.
>
>But where does the client get the certificate? As it stands now (without
>the ACL config), the client gets the certificate from my server and uses it.
Er.. that'd be the server certificate, and that's not the same as a
certificate the client might offer.
> Since it is self-signed, I'm the CA.
No.
I suspect you don't want tls_{,try_}verify_hosts at all. It's not needed
if you are relying on SMTP AUTH by the MUA anyway! It's more useful for
MTAs to trust other MTAs.