OK, I've read the FAQ and I don't think this is quite the situation described in the FAQ.
The relevant configuration
bash-2.05a$ grep '^tls_' /path/to/exim.cfg
tls_advertise_hosts = *
tls_try_verify_hosts = *
tls_verify_certificates = /path/to/cacert.pem
tls_certificate = /path/to/host.crt
tls_privatekey = /path/to/host.key
bash-2.05a$ ls -l /path/to/cacert.pem
-rwxr-xr-x 1 root exim 0 Nov 24 2005 /path/to/cacert.pem
bash-2.05a$
The cacert.pem is definitely readable by the Exim user, but it's empty, so nothing is going to match. As I understand it, if nothing matches, the connection should continue, encrypted, but not verified.
What we actually see is
12/12/2006 09:10:34 Router: No messages transferred to MAIL.EXAMPLE.NET (host mail1.EXAMPLE.NET) via SMTP: SSL bad peer certificate. Connection refused
and in the exim log we see
2006-12-12 09:10:14 TLS error on connection from (tlsmail02.example.com) [123.111.100.123] (SSL_accept): error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)
As I read the docs, if it doesn't accept the certificate it should continue anyway. In this instance it doesn't seem to do that. Is that becasue it's a deeper problem than a rejected certificate, or am I misreading the docs?
Neil Youngman
