Re: [exim] How to verify certificate in transport

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Heiko Schlittermann
Data:  
Para: M G Berberich
Asunto: Re: [exim] How to verify certificate in transport
M G Berberich <berberic@???> (Fr 25 Jul 2008 22:27:40 CEST):
> Hello,
>
> I want to send mails to a smarthost encrypted. My attempts to do it
> over smtps failed, I suppose this can't be done with exim4.
>
> So I tried to force TLS. I already have added a “hosts_require_tls” to
> the “remote_smtp_smarthost” transport to prevent unencrypted delivery.
>
> I tried adding “tls_certificate = …/bla.crt” to make exim check the
> server-certificate against bla.crt, but this gives me:


The "tls_certificate" option is not for checking, it's for telling exim
which certificate it should use as client talking to the remove server.

>
> TLS error on connection to smarthost [ip] (cert/key setup:
> cert=…/bla.crt key=…/bla.crt): Base64 unexpected header error.


something like this should do the trick:

    TLS_CRT = /etc/ssl/certs/ssl.schlittermann.de.crt
    TLS_KEY = /etc/ssl/private/ssl.schlittermann.de.key
    TLS_CA = /etc/ssl/certs/ca-certificates.crt



    smtp_tls:
      driver = smtp
      hosts_require_tls = *
      tls_certificate = TLS_CRT
      tls_privatekey = TLS_KEY
      tls_verify_certificates = TLS_CA



I'm just not sure, if this setup already checks the certificates CN
against the host connected to. But I'd guess, this information could be
found in the spec file.


    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -