Re: [exim] how to config SSL

Top Page
Delete this message
Reply to this message
Author: Sven Hartge
Date:  
To: exim-users
Subject: Re: [exim] how to config SSL
Robin Peng <robin.peng@???> wrote:
> Hi all


> I bought a SSL certificate (comodo),and config SSL as below:
> ------------------------------------------------------------------
> tls_advertise_hosts = *
> tls_require_ciphers = SSLv3:TLS
> tls_verify_certificates = /etc/ssl/comodo/CA.crt


You don't need this, only if you want to verify _clients_ using this CA.

> tls_certificate = /etc/ssl/comodo/server.crt


Your certificate should contain _the whole chain_ up to the root
certificate of the CA.

I.e. the first certificate in that file is your certificace, then any
intermediate certs in the correct order and last the root-CA cert.

Just use "cat" to append them all to one file.

> $ openssl s_client -connect mail.saybot.com:smtps


openssl will always tell you it cannot verify the certificates, unless
you manuall specify the directory (or file) where your CA certs reside
on your system:

openssl s_client -CApath /etc/ssl/certs -connect mail.saybot.com:smtps

(or -CAfile /etc/ssl/ca-certificates.crt or any other file with a
collection of CA certs inside).

Grüße,
Sven.

--
Sigmentation fault. Core dumped.