Re: [exim] how to config SSL

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Heiko Schlittermann
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] how to config SSL
Robin Peng <robin.peng@???> (Fr 13 Jul 2012 08:36:55 CEST):
> Hi all
>
> I bought a SSL certificate (comodo),and config SSL as below:
> ------------------------------------------------------------------
> tls_advertise_hosts = *
> tls_require_ciphers = SSLv3:TLS
> tls_verify_certificates = /etc/ssl/comodo/CA.crt
> tls_certificate = /etc/ssl/comodo/server.crt
> tls_privatekey = /etc/ssl/comodo/server.key
> #tls_certificate = /etc/ssl/server.crt
> #tls_privatekey = /etc/ssl/server.key
> -------------------------------------------------------
> test SSL
> $ openssl s_client -connect mail.saybot.com:smtps
>
> CONNECTED(00000003)
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> exim vesion:4.76
>
> Anyone made such successful configure?


Your client (openssl) needs the CA, otherwise the client can't verify the CRT of
your server (exim). Check the s_client(1SSL) man page, look for -CAfile
or -CApath.

If this still does not work, you should check if you need a chain
certificate. Some CAs issue certificates signed with a "sub" CA of the
official known CA. The server should provide the "sub" CA (chain
certificate) as well as the server certificate to the client.

(If I remember well, it should suffice to just put both certs
into the server.crt file, but I'm not sure if the order matters.)

--
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B