Re: [exim] verifying certificate information

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Martin A. Brooks
CC: Exim Users
Subject: Re: [exim] verifying certificate information
On 2008-06-16 at 10:21 +0100, Martin A. Brooks wrote:
> Phil Pennock wrote:
> > I suspect that, ironically enough, on the host with the certificate
> > issued by a well-established CA, you have hosts_avoid_tls set on the
> > relevant SMTP Transport.
>
> This isn't the case, your own excellent tool verifies that the cert is
> being presented. I'm using a wildcard cert, could that make a difference?


Shouldn't.

Re-reading your mail, I think that "it" in "when it sends mail" is
perhaps unclear; so, this is the log-files of remote servers, when
sending mail to the machine with the self-signed cert, reports the DN,
but when sending mail to the machine with the externally-issued cert,
this isn't reported?

What's the value of tls_advertise_hosts on the new box? Did you get
fancy and enable it for submission service and not for port 25? Eg, my
default setting boils down to:
tls_advertise_hosts = ${if =={$received_port}{587}{*}{}}

You're looking on identical hosts, both have +tls_peerdn in the
log_selector?

Otherwise, you're down to running a debug exim instance with -d+tls to
see what errors happen.

Re-reading the code:

For OpenSSL, it only sets tls_peerdn if the peer host verifies.

For GNUTLS, if the mail is delivered (ie, connection not declared to
have failed) then it always sets tls_peerdn, whether it verifies or not;
this seems ... questionable.

Which library is used on the remote machines? Has that changed
recently?

Regards,
-Phil