On Tue, Nov 23, 2010 at 08:19:39PM +0100, Matthias-Christian Ott said:
> On Tue, Nov 23, 2010 at 01:55:36PM -0500, Phil Pennock wrote:
> > On 2010-11-22 at 23:14 +0100, Matthias-Christian Ott wrote:
> > > for fail-over I want to add a spooling relay to an existing Exim
> > > server. I would prefer to useauthentication via client certificates. Is
> > > this possible with Exim?
> >
> > Yes. Use the tls_certificate and tls_privatekey options on the SMTP
> > Transport used. There are other relevant options too. See:
> > 30.4 Private options for smtp
> > 39.9 Configuring an Exim client to use TLS
> > of The Exim Specification, "spec.txt" or online at:
> > http://www.exim.org/exim-html-current/doc/html/spec_html/index.html
>
> This is not what I was looking for. I'm already using TLS and
> tls_verify_certificates doesn't solve my problem because it seems to me
> that I have to keep all client certifcates on the actual mail server in a
> directory.
>
> I would like to sign the server and the client (relay) certificate
> by a CA and store the CA certificate on the server and instruct the
> server to accept only messages from relays which provide a certificate
> which is signed by the server (similar to OpenID client certificate
> authentication).
You need to do something like:
tls_verify_certificates = /etc/exim4/ssl/ca.crt
tls_try_verify_hosts = *
On the relay. This will verify the cert against the CA, rather than
against a known list of certs.
Cheers,
--
--------------------------------------------------------------------------
| Stephen Gran | Gnagloot, n.: A person who leaves all |
| steve@??? | his ski passes on his jacket just to |
| http://www.lobefin.net/~steve | impress people. -- Rich Hall, |
| | "Sniglets" |
--------------------------------------------------------------------------
