Re: [Exim] tls certificate verification

Top Page
Delete this message
Reply to this message
Author: Matt Bernstein
Date:  
To: Steve Haslam
CC: exim-users
Subject: Re: [Exim] tls certificate verification
On Sep 9 Steve Haslam wrote:

>> This has got nothing to do wih authentication, simply TLS encryption for
>> TLS-encrypted smtp.
>
>OK, I apprecaite they use different certificate sets-- but basically, if you
>wanted to set up SMTP-authenticating-using-TLS-certificates, how would you
>do it? I'm looking at the code and a chunk of it that ought to be outputting
>debug messages if Exim is checking that the peer certificate is signed by
>the right CA isn't doing anything.


Hmm... I use client certificates with tls_try_verify_hosts = * [1] and use
the RCPT ACL to work out what you're allowed to do from that point on.
That bit seems to "work for me" just fine on Exim 4.10.

This could be a job for AUTH EXTERNAL (see my post from Aug 17), but I
haven't the time to code it, it didn't make to the wish list, and I'm sure
Philip has plenty of other things to worry about just now.

Matt

[1] Some MUAs (eg Netscape 4) spit out things which look like error
messages to the user if the client doesn't have a certificate to offer, and
others (eg some versions of Apple Mail) get very annoyed and try things
like AUTH PLAIN in the clear.. ..so I also listen on tcp/587, and my line
is really tls_try_verify_hosts = ${if eq{$interface_port}{587}{}{*}}