Mike Cardwell wrote:
> Leon Verrall wrote:
>> Surely this file should contain a list of certificates that are to be
>> considered "valid", plus any intermediate certs and the root cert needed
>> to validate it. However exim seems to accept _any_ TLS session as long
>> as a certificate signed by that root CA is presented.
>
> I came across the same problem. There were only a couple of certificates
> involved in my environment so what I did was to check that the domain of
> the client cert was what I was expecting:
>
> deny !condition = $tls_certificate_verified
> deny set acl_m0 = ${if match{$tls_peerdn}\
> {\N^.*?O=([a-z0-9\.-]+)\N}\
> {$1}{}}
> condition = ${if match_domain{$acl_m0}\
> {secure.grepular.com:secure.blubbernet.com}\
> {false}{true}}
>
> Not ideal. Hopefully that'll give you an idea though.
I see the logic. I have a similar situation; just a few certificates.
Still it would be nice if this worked as documented or we could find out
what's wrong.
>> Any ideas why exim doesn't tell a client with an "unkown" certificate to
>> get lost, signed or not?
>
> I'd also like to know how to do that.
At least I'm not going mad. Or we both are.
Leon