Has anyone tried something like the following configuration?
tls_try_verify_hosts = *
tls_verify_certificates = CERTS/client
The idea was to be able to support client TLS verification for select
machine in the future by just dropping files in the CERTS/client
directory. However this seems to cause Eudora to throw its toys out of the
pram, as described in the interoperability section of
http://www.sendmail.org/~ca/email/starttls.html
There's a comment in the Exim source about OpenSSL interoperability bug
workarounds:
/* Enable client-bug workaround.
Versions of OpenSSL as of 0.9.6d include a "CBC countermeasure" feature,
which causes problems with some clients (such as the Certicom SSL Plus
library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
disables the coutermeasure allowing Eudora to connect.
Some poppers and MTAs use SSL_OP_ALL, which enables all such bug
workarounds. */
However the list of workarounds doesn't seem to include one for this
Eudora problem -- see
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
There is a big list of M$ workarounds. If I get more SSL problem reports I
may try using SSL_OP_ALL to see if it makes the users go away :-)
--
Tony Finch <dot@???>
http://dotat.at/