Re: [Exim] using other parties self-signed certificate when …

Page principale
Ce message fait partie du fil suivant :
MArborescence complète du fil triée par date
M\Bernhard Erdmann à <-
MM 
Supprimer ce message
Répondre à ce message
Auteur: Bernhard Erdmann
Date:  
À: gARetH baBB
CC: exim-users
Sujet: Re: [Exim] using other parties self-signed certificate when delivering to them using TLS
gARetH baBB wrote:
[...]
> Precisely, so you expand tls_verify_certificates based on the destination
> host - if you want to verify you set tls_verify_certificates to the file
> otherwise you leave it unset.
>
> I was thinking of something like:
>
> tls_verify_certificates = ${lookup {$host_address} \
> lsearch{/etc/mail/tlsverify.hosts} {/etc/mail/tlsverify.certs} {} }
>
> But tls_verify_certificates seems to be needed to be *unset* for no
> verification, and just not blank. Unsure what you do to explicitly unset
> something.


"fail" instead of "{}" forces the expansion to fail and
tls_verify_certificates to be unset. Here it works:

tls_verify_certificates = ${lookup {$host} \
lsearch{/etc/exim/hosts_require_tls} \
{/etc/exim/tls_verify_certificates} fail }

/etc/exim/hosts_require_tls:
contains the names of the hosts where TLS is required
/etc/exim/tls_verify_certificates:
contains their (CA-)certificates

Thanks for the great hint!



Ce message a été envoyé sur les listes de diffusion suivantes :
Exim-users
Informations sur la liste de diffusion | Messages voisins		<-[Exim] Routing individual addresses on a mailhub[Exim] test new configuration->
Tahini and Hummus and Cumin Development Archives administré par cumin AdminsLurker (version 2.3)