[exim] Problem with tls_verify_certificates in smtp transpor…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Micha Krause
Date:  
À: exim-users
Sujet: [exim] Problem with tls_verify_certificates in smtp transport
Hi,

I want exim to only forward mails, if the MTA on the reciving side
presents a specific server certificate.

After reading the documentation at:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch39.html I
found this:

"If the tls_verify_certificates option is set on the smtp transport, it
must name a file or, for OpenSSL only (not GnuTLS), a directory, that
contains a collection of expected server certificates. The client
verifies the server’s certificate against this collection, taking into
account any revoked certificates that are in the list defined by tls_crl."

I tried this, but somehow I can't get it to work.

exim -d shows:


SMTP>> STARTTLS

waiting for data on socket
read response data: size=18
SMTP<< 220 TLS go ahead
initializing GnuTLS as a client
read D-H parameters from file
initialized D-H parameters
no TLS client certificate is specified
verify certificates = /etc/exim4/certs/krausam.de.crt size=4103
initialized certificate stuff
initialized GnuTLS session
TLS certificate verification failed (invalid):
peerdn=C=DE,ST=Bavaria,L=Nuernberg,O=--,CN=mail.krausam.de,EMAIL=micha@???
LOG: MAIN
TLS error on connection to mail.krausam.de [213.95.21.220]: certificate
verification failed (invalid)
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is
not NULL


Micha Krause