Re: [exim] How to verify certificate in transport

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: M G Berberich
CC: exim-users
Sujet: Re: [exim] How to verify certificate in transport
On 2008-07-25 at 22:27 +0200, M G Berberich wrote:
> I want to send mails to a smarthost encrypted. My attempts to do it
> over smtps failed, I suppose this can't be done with exim4.


Correct, to the best of my knowledge. SSL-on-connect is not in any
standards documents and is something the IETF argues against
(unfortunately, IMO).

> So I tried to force TLS. I already have added a “hosts_require_tls” to
> the “remote_smtp_smarthost” transport to prevent unencrypted delivery.
>
> I tried adding “tls_certificate = …/bla.crt” to make exim check the
> server-certificate against bla.crt, but this gives me:


No, tls_certificate is how you tell Exim what its *own* TLS certificate
is.

> So how do I make exim to check the certificate to prevent
> man-in-the-middle attacks?


On the smarthost transport, you set tls_verify_certificates to point to
the CA certificates (a file for GnuTLS, a file or a directory for
OpenSSL, eg, /etc/ssl/certs/).

For *server* side, you can choose which hosts to optionally verify for,
independently of having configured certificates (tls_verify_hosts,
tls_try_verify_hosts). But for the *client* side, once you provide the
CA certs, verification is mandatory and there are no hooks to disable
it. There's only so many ways that Exim will let people shoot
themselves in their own foot and this isn't one of them. :)

Note that tls_verify_certificates is the name of *two* options,
depending upon where it's set, with the same meaning for both. If it's
set in the 'main' section of the configuration, then it's a server-side
setting and if it's set on an SMTP Transport, then it's a client-side
setting. Neither affects the other.

-Phil