著者: Andreas Metzler 日付: To: exim-users 題目: Re: [exim] TLS certificate verification
Jim Gottlieb <jimmy@???> wrote: > I've been using a self-signed certificate for years, but I finally
> decided to install a "real" one. I bought it from Go Daddy, [...] > tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert [...] > When I test it from OS X's Mail.app, it tells me:
> "this certificate was signed by an unknown authority" > When I first got this message, I realized I needed to install the Go
> Daddy cert bundle file (I don't know the official name) and so I did
> that and added the above tls_verify_certificates parameter. But I
> notice that cert file is not being read, even after a restart: [...]
You are mistaking the point of tls_verify_certificates. If a *client*
connecting to exim presents a certificate, exim will verificate this
one against the list of trusted ones in tls_verify_certificates.
OTOH if the client (Mail.app) wants to verify the cert exim is
presenting to it, the client will need to have access to the ca-cert
used to sign exim's cert.
BTW is your server accessible from the internet? We could try and check
whether we could verify the cert if it was.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'