Martin A. Brooks wrote:
> Hi
>
> I've been looking at using a wildcard certificate with exim. I have the
> cert, exim is configured to use it, and there are no complaints when
> clients use STARTTLS to encrypt their session.
>
> Call me paranoid, but I want to verify that the certificate is actually
> being used and I've drawn a blank as to how to do that. My usual tools
> for SMTP kung-fu, swaks, doesn't have a "show me the cert" option nor
> can I switch enough debugging on for it to show me sufficient details.
>
> Any suggestions?
>
> Thanks
>
Not allowing client submission connection *unless* encrypted is a start.
ISTR this line in each client login acl does that [1]:
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
As to 'which cert' - SeaMonkey, to name one (of probably very many MUA)
will balk, display any cert that lacks a CA in its arsenal.
Maybe *I'm* paranoid, but ever since I caught the likes of
ad.doubleclick and sputnik felons using such certs to evade ad blocking,
I make a practice of deleting ALL certs and CA's from each new browser
install.
Not a lot of work to accept - temporarily or permanently - those you
actually need.
HTH,
Bill
[1] Not 100% certain, as we run SSL, not TLS, so there is no choice anyway.
