Re: [exim] TLS certificate verification

Top Page
Delete this message
Reply to this message
Author: Mike Pellatt
Date:  
To: exim-users
Subject: Re: [exim] TLS certificate verification
I use the same godaddy certificate for apache, exim and stunnel.

I created a .pem with the key, the certificate and the godaddy bundle
all in the one file.

In exim, I point

tls_certificate

and

tls_privatekey

to this file, and leave

tls_verify_certificates

unset.

I can't remember now why I did it this way - probably something to do with it being the only common method that all 3 programs would support. Whatever, it works for me (tm) !!

Hope that helps

Mike Pellatt


Jim Gottlieb wrote:
> I've been using a self-signed certificate for years, but I finally
> decided to install a "real" one. I bought it from Go Daddy, just as I
> do for our web sites, but I haven't quite gotten it working with the
> following settings on exim 4.66:
>
> # SSL/TLS cert and key
> log_selector = +tls_cipher +tls_peerdn
> tls_certificate = /opt/exim/certs/exim.cert
> tls_privatekey = /opt/exim/certs/exim.key
> tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert
>
> # Advertise TLS to anyone
> tls_advertise_hosts = *
>
>
> When I test it from OS X's Mail.app, it tells me:
> "this certificate was signed by an unknown authority"
>
> When I first got this message, I realized I needed to install the Go
> Daddy cert bundle file (I don't know the official name) and so I did
> that and added the above tls_verify_certificates parameter. But I
> notice that cert file is not being read, even after a restart:
>
> $ ls -lut
> -r--r--r-- 1 exim staff 1749 Aug 28 11:05 exim.cert
> -r-------- 1 exim staff 891 Aug 28 11:05 exim.key
> -r--r--r-- 1 exim staff 4680 Aug 27 03:06 godaddy-bundle.cert
>
> I've also been getting error messages like this in the logs:
>
> TLS error on connection from nebula.nccom.com [198.51.175.31]
> (SSL_accept): error:00000000:lib(0):func(0):reason(0)
>
> Any ideas?
>
> Thanks...
>
> ...Jim
>
>
>
>