Re: [exim] TLS certificate verification

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMike Pellatt at <-
 
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: Re: [exim] TLS certificate verification
Jim Gottlieb <jimmy@???> wrote:
> I've been using a self-signed certificate for years, but I finally
> decided to install a "real" one. I bought it from Go Daddy,
[...]
> tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert
[...]
> When I test it from OS X's Mail.app, it tells me:
> "this certificate was signed by an unknown authority"

> When I first got this message, I realized I needed to install the Go
> Daddy cert bundle file (I don't know the official name) and so I did
> that and added the above tls_verify_certificates parameter. But I
> notice that cert file is not being read, even after a restart:
[...]

You are mistaking the point of tls_verify_certificates. If a *client*
connecting to exim presents a certificate, exim will verificate this
one against the list of trusted ones in tls_verify_certificates.

OTOH if the client (Mail.app) wants to verify the cert exim is
presenting to it, the client will need to have access to the ca-cert
used to sign exim's cert.

BTW is your server accessible from the internet? We could try and check
whether we could verify the cert if it was.

cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Exim4 to Syslog on Lenny ?Re: [exim] Exim4 to Syslog on Lenny ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)