Re: [Exim] problem using tls_verify_hosts parameter - second…

Góra strony
Delete this message
Reply to this message
Autor: Tony Earnshaw
Data:  
Dla: exim-users
Temat: Re: [Exim] problem using tls_verify_hosts parameter - second try
man, 12.05.2003 kl. 20.45 skrev Juergen Edner:

> last week I posted my question about tls_verify_hosts to
> this mailinglist but haven't seen any answer until now.
> Have I missed something or does nobody know anything
> about it? Excuse my impatience ;-)
>
> > I am playing around with server side TLS configuration
> > at the moment. TLS in general is working but now I want
> > to use the tls_verify_hosts parameter to improve security,
> > which doesn't work at all.
> > The Exim debug log shows an "peer did not return a
> > certificate" error. I searched through the mailing list
> > archive and found some postings about it but no solution
> > for this problem.
> > Now I wonder if it is a well-tested function or if it is
> > still in development.


TLS in mail servers is at the best of times flaky (not technically but
logistically): no-one can guarantee server-server TLS/encrypted
connections unless two domain mailadmins have a mutual agreement and
connections have to be point-to-point (o.k., routers in the middle, but
they route at OSI levels 2/3.) Adding client verification with cert.
exchange only makes it worse - you really have to get 2 dedicated peers
to make that work. I should forget it, if I were you.

> > Has anyone successfully enabled this feature and can give
> > me a hint how to configure different email clients to
> > send a certificate?


Use AUTH CRAM-MD5 or AUTH PLAIN, either over TLS instead for MUA to MTA.
I use CRAM-MD5 over TLS from this Ximian Evolution MUA to my Exim 4.14
server and it works perfectly. If you're hell bent on exchanging
certificates, then CRAM-MD5 is the next best thing, with tokens. Exim
doesn't support Kerberos yet, which would be even better.

Best,

Tony

--
Tony Earnshaw

There's none so daft as them as will not learn.

http://www.billy.demon.nl
Mail: tonni@???