Autor: Phil Pennock Data: Para: Martin A. Brooks CC: Exim Users Assunto: Re: [exim] verifying certificate information
On 2008-06-16 at 10:21 +0100, Martin A. Brooks wrote: > Phil Pennock wrote:
> > I suspect that, ironically enough, on the host with the certificate
> > issued by a well-established CA, you have hosts_avoid_tls set on the
> > relevant SMTP Transport.
>
> This isn't the case, your own excellent tool verifies that the cert is
> being presented. I'm using a wildcard cert, could that make a difference?
Shouldn't.
Re-reading your mail, I think that "it" in "when it sends mail" is
perhaps unclear; so, this is the log-files of remote servers, when
sending mail to the machine with the self-signed cert, reports the DN,
but when sending mail to the machine with the externally-issued cert,
this isn't reported?
What's the value of tls_advertise_hosts on the new box? Did you get
fancy and enable it for submission service and not for port 25? Eg, my
default setting boils down to:
tls_advertise_hosts = ${if =={$received_port}{587}{*}{}}
You're looking on identical hosts, both have +tls_peerdn in the
log_selector?
Otherwise, you're down to running a debug exim instance with -d+tls to
see what errors happen.
Re-reading the code:
For OpenSSL, it only sets tls_peerdn if the peer host verifies.
For GNUTLS, if the mail is delivered (ie, connection not declared to
have failed) then it always sets tls_peerdn, whether it verifies or not;
this seems ... questionable.
Which library is used on the remote machines? Has that changed
recently?