Author: Heiko Schlittermann Date: To: exim-users Subject: Re: [exim] how to config SSL
Robin Peng <robin.peng@???> (Fr 13 Jul 2012 08:36:55 CEST): > Hi all
>
> I bought a SSL certificate (comodo),and config SSL as below:
> ------------------------------------------------------------------
> tls_advertise_hosts = *
> tls_require_ciphers = SSLv3:TLS
> tls_verify_certificates = /etc/ssl/comodo/CA.crt
> tls_certificate = /etc/ssl/comodo/server.crt
> tls_privatekey = /etc/ssl/comodo/server.key
> #tls_certificate = /etc/ssl/server.crt
> #tls_privatekey = /etc/ssl/server.key
> -------------------------------------------------------
> test SSL
> $ openssl s_client -connect mail.saybot.com:smtps
>
> CONNECTED(00000003)
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> exim vesion:4.76
>
> Anyone made such successful configure?
Your client (openssl) needs the CA, otherwise the client can't verify the CRT of
your server (exim). Check the s_client(1SSL) man page, look for -CAfile
or -CApath.
If this still does not work, you should check if you need a chain
certificate. Some CAs issue certificates signed with a "sub" CA of the
official known CA. The server should provide the "sub" CA (chain
certificate) as well as the server certificate to the client.
(If I remember well, it should suffice to just put both certs
into the server.crt file, but I'm not sure if the order matters.)
