[exim] tls cert verification

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Cardwell
Date:  
À: exim-users
Sujet: [exim] tls cert verification
I'm setting up a manualroute for exim to deliver certain mail to a
smarthost. It will use TLS over port 587 with auth. The auth is
irrelevant to this though. I've got it working, however I have
concerns about a man in the middle attack.

If I were pointing an email client like Thunderbird directly at the
smarthost, it would warn me if the cert was self signed, didn't
match the common name, or if it had changed since last time. I
can't seem to get exim to do any of that.... How do I go about it?

What I *want* for exim to do is queue the message if the certificate
changes.

Here's my current config:

The router:

smarthost4:
   debug_print    = "R: smarthost4 for $local_part@$domain"
   driver         = manualroute
   domains        = +smarthost4_domains
   transport      = smarthost4
   route_list     = * "smarthost4.internaldns.grepular.com"


The transport:

smarthost4:
   debug_print             = "T: smarthost4 for $local_part@$domain"
   driver                  = smtp
   port                    = 587
   hosts_require_tls       = *
   hosts_require_auth      = *
   tls_tempfail_tryclear   = false
   tls_verify_certificates = /etc/ssl/certs/


P.S. I'm using exim 4.63 compiled against openssl.

Mike