Hi,
In a transport, I can do:
smtp:
driver = smtp
hosts_require_tls = *
which requires encryption (albeit without any sort of verification
that I'm talking to the right server - leave that issue aside for
the moment!)
I can also do
smtp:
driver = smtp
hosts_require_tls = *
tls_verify_certificates = /path/to/server.cert
to guarantee TLS, and also verify the server certificate.
However, it would be nice to be able to do
smtp:
driver = smtp
hosts_require_tls = *
multi_domain = false
tls_verify_certificates = ${if exists {/path/to/$domain} {/path/to/$domain} {}}
but this fails trying to read a non-existant file (works fine if
the certificate file is there)
I've also tried "fail" instead of {} (not really expecting it to
work):
tls_verify_certificates = ${if exists {/path/to/$domain} {/path/to/$domain} fail}
Using /dev/null gets further (looking at the source, it doesn't
return DEFER if the file exists but zero-length), in that it
doesn't bomb out before trying to read the file:
tls_verify_certificates = ${if exists {/path/to/$domain} {/path/to/$domain} {/dev/null}}
but then the certificate verification fails a bit later on.
The source has a comment:
/* If the cert file is empty, there's no point in loading the CRL file. */
which I don't really get - why even bother with verification at
all if the cert file is empty? :-)
Is there a way to do this, without having to create two
transports, and checking for the presence of the certificate to
verify in the routing stage?
Cheers,
Matthew
(Note - using exim 4.72 on Debian, which means it's using the
gnutls code path, rather than openssl)
--
Matthew Newton, Ph.D. <mcn4@???>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@???>
