I may be wrong here, but my understanding of certs is that what exim is
doing is checking the authorities on your certificate. The idea is that
I would tell exim to allow mail from certs signed by the CA. I am now
able to issue certs for new users without having to log on to the box
and add their certificate
From exim's point of view, It trusts the CA, and the CA trusts the
certificate, so exim trusts the certificate.
Hope that clears it up for you.
R
-----Original Message-----
From: exim-users-bounces@??? [
mailto:exim-users-bounces@exim.org]
On Behalf Of Lars Mainka
Sent: 23 February 2005 08:52
To: exim-users@???
Subject: [exim] TLS and Client Certificate Verification
<SNIP>
In my mind, the directory must contain my client cert to allow the
client to connect to the mailserver, not only the CA cert. Is this
wrong?
What I am looking for is a client authorization with certificates,
before anything else is possible for the client. I did a ktrace for the
whole process and the exim only verifies my client cert against the CA
cert, not against the other certs in the directory.
So the main question is: What do I have to do, to check on handshake
against the clients certificates?
I am using a self signed CA certificate and a cert for the mailserver
which is signed by the CA, the daemon_smtp_ports = smtp : smtps and
tls_on_connect_ports = 465 statements. My client MUA is on a host which
is listet in the tls_verify_hosts, the tls_certificate file contains the
CA cert, the mailserver cert and the mailservers private key.
<SNIP>
---------------------------------------------------
This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses.
For further information contact email-integrity@???
