Hello,
the exim 4.69 on the client side doesn't matter. If I use ``openssl
s_client'' ... for connecting the server, the same happens, same TLS
relevant config parts, but different behaviour.
Working server:
gnutls_require_kx =
gnutls_require_mac =
gnutls_require_protocols =
log_selector = +tls_peerdn -retry_defer +sender_on_delivery +pid +incoming_interface
tls_advertise_hosts = *
tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
tls_crl =
tls_dhparam =
tls_on_connect_ports = 465
tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
no_tls_remember_esmtp
tls_require_ciphers =
tls_try_verify_hosts = *
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
tls_verify_hosts =
Failing server:
gnutls_require_kx =
gnutls_require_mac =
gnutls_require_protocols =
tls_advertise_hosts = *
tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
tls_crl =
tls_dhparam =
tls_on_connect_ports = 465
tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
no_tls_remember_esmtp
tls_require_ciphers =
tls_try_verify_hosts =
¹ tls_verify_certificates = /etc/ssl/certs/schlittermann-ca.pem
² tls_verify_hosts = *
1) this file contains exactly and only the CA signed the cert on the
client side
2) this should be "tls_try_verify_hosts" to be able to do some more
ACL checking, it's changed here to tls_verify_hosts to have a faster
response.
--
Heiko
