Re: [exim] TLS certificate verification

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Andreas Metzler
Date:  
À: exim-users
Sujet: Re: [exim] TLS certificate verification
Jim Gottlieb <jimmy@???> wrote:
> I've been using a self-signed certificate for years, but I finally
> decided to install a "real" one. I bought it from Go Daddy,

[...]
> tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert

[...]
> When I test it from OS X's Mail.app, it tells me:
> "this certificate was signed by an unknown authority"


> When I first got this message, I realized I needed to install the Go
> Daddy cert bundle file (I don't know the official name) and so I did
> that and added the above tls_verify_certificates parameter. But I
> notice that cert file is not being read, even after a restart:

[...]

You are mistaking the point of tls_verify_certificates. If a *client*
connecting to exim presents a certificate, exim will verificate this
one against the list of trusted ones in tls_verify_certificates.

OTOH if the client (Mail.app) wants to verify the cert exim is
presenting to it, the client will need to have access to the ca-cert
used to sign exim's cert.

BTW is your server accessible from the internet? We could try and check
whether we could verify the cert if it was.

cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'