Re: [exim] verifying certificate information

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] verifying certificate information
Martin A. Brooks wrote:
> Hi
>
> I've been looking at using a wildcard certificate with exim. I have the
> cert, exim is configured to use it, and there are no complaints when
> clients use STARTTLS to encrypt their session.
>
> Call me paranoid, but I want to verify that the certificate is actually
> being used and I've drawn a blank as to how to do that. My usual tools
> for SMTP kung-fu, swaks, doesn't have a "show me the cert" option nor
> can I switch enough debugging on for it to show me sufficient details.
>
> Any suggestions?
>
> Thanks
>


Not allowing client submission connection *unless* encrypted is a start.

ISTR this line in each client login acl does that [1]:

      server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}


As to 'which cert' - SeaMonkey, to name one (of probably very many MUA)
will balk, display any cert that lacks a CA in its arsenal.

Maybe *I'm* paranoid, but ever since I caught the likes of
ad.doubleclick and sputnik felons using such certs to evade ad blocking,
I make a practice of deleting ALL certs and CA's from each new browser
install.

Not a lot of work to accept - temporarily or permanently - those you
actually need.

HTH,

Bill


[1] Not 100% certain, as we run SSL, not TLS, so there is no choice anyway.