Re: [exim] how to config SSL

Robin Peng <robin.peng@???> wrote:
> Hi all

> I bought a SSL certificate (comodo),and config SSL as below:
> ------------------------------------------------------------------
> tls_advertise_hosts = *
> tls_require_ciphers = SSLv3:TLS
> tls_verify_certificates = /etc/ssl/comodo/CA.crt

You don't need this, only if you want to verify _clients_ using this CA.

> tls_certificate = /etc/ssl/comodo/server.crt

Your certificate should contain _the whole chain_ up to the root
certificate of the CA.

I.e. the first certificate in that file is your certificace, then any
intermediate certs in the correct order and last the root-CA cert.

Just use "cat" to append them all to one file.

> $ openssl s_client -connect mail.saybot.com:smtps

openssl will always tell you it cannot verify the certificates, unless
you manuall specify the directory (or file) where your CA certs reside
on your system:

openssl s_client -CApath /etc/ssl/certs -connect mail.saybot.com:smtps

(or -CAfile /etc/ssl/ca-certificates.crt or any other file with a
collection of CA certs inside).

Grüße,
Sven.

--
Sigmentation fault. Core dumped.