Re: [Exim] using other parties self-signed certificate when …

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Bernhard Erdmann
Datum:  
To: gARetH baBB
CC: exim-users
Betreff: Re: [Exim] using other parties self-signed certificate when delivering to them using TLS
gARetH baBB wrote:
[...]
> Precisely, so you expand tls_verify_certificates based on the destination
> host - if you want to verify you set tls_verify_certificates to the file
> otherwise you leave it unset.
>
> I was thinking of something like:
>
> tls_verify_certificates = ${lookup {$host_address} \
> lsearch{/etc/mail/tlsverify.hosts} {/etc/mail/tlsverify.certs} {} }
>
> But tls_verify_certificates seems to be needed to be *unset* for no
> verification, and just not blank. Unsure what you do to explicitly unset
> something.



"fail" instead of "{}" forces the expansion to fail and
tls_verify_certificates to be unset. Here it works:

tls_verify_certificates = ${lookup {$host} \
lsearch{/etc/exim/hosts_require_tls} \
{/etc/exim/tls_verify_certificates} fail }

/etc/exim/hosts_require_tls:
contains the names of the hosts where TLS is required
/etc/exim/tls_verify_certificates:
contains their (CA-)certificates

Thanks for the great hint!