Re: [Exim] tls

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Andreas J Mueller
Date:  
To: tlabs
CC: exim-users
Subject: Re: [Exim] tls
Hi tlabs!

> in the logs i get this:

> 2003-07-09 20:03:53 TLS error on connection from (mail2.accelerate.uk.com) [193.195.142.3] (SSL_accept):
> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

> the certs are all in the right places but the secondary will not send the cert.

Do you have set tls_certificate in the smtp transport? It is required
for a certificate to be sent during SSL handshake:

remote_smtp:
driver = smtp
tls_certificate = /etc/exim/tls_certificate

Even then, I doubt that it's a good idea to set tls_verify_hosts = *
for a primary MX that is to receive mail from the outside. Many Exim
clients that connect to your server use self-signed certificates,
which cannot be verified (and usually don't need to, because TLS is
only used to create an encrypted tunnel). Exim handles this
gracefully and attempts to deliver the mail in clear, but other MTAs
may not be that smart.

Better use "tls_try_verify_hosts = *", this will request a
certificate, but still continue the SSL negotiation if none is
presented.

Andy



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] callout problemRe: [Exim] does a net-*-dbm exist?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)