[exim] tls_verify_certificates = {forced failure} but it tri…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: [exim] tls_verify_certificates = {forced failure} but it tries to verify the cert anyway
Hello,

I'm using Exim 4.80 on a decent Ubuntu as a "client".
The Exim client should use TLS whenever possible. For a small collection
of hosts it should additionally insinst in successful certificate
verification.


My exim.conf

    …
    CF = /etc/exim4
    …
    begin transports


    remote_smtp:
        driver = smtp
        hosts_require_tls = mout.foo.bar
        tls_verify_certificate = ${if eq{$host}{mout.foo.bar}{CF/mout.foo.bar-crt.pem}fail}



The spec.txt states:

    All the TLS options in the smtp transport are expanded before use, with $host
    and $host_address containing the name and address of the server to which the
    client is connected. Forced failure of an expansion causes Exim to behave as if
    the relevant option were unset.



If my above setting is right, the expansion of ${if …} should result in
a forced failure for every host, except the mout.foo.bar. This in turn
should make the tls_verify_certificate option unset. If this option is
unset, no verification should take place.

If I remove the tls_verify_certificate option, Exim behaves as expected,
it can't verify the certificate, BUT it insisist at least on encryption.

If I use the above configuration, the verification is attempted, always.
But this is not what I want.

For furthere information some debug output:

    Exim version 4.80 uid=0 gid=0 pid=1762 D=101
    …
    delivering 1VeWyM-0000SG-AD (queue run pid 1762)
    Connecting to mout.foo.bar [__.__.___.__]:25 ... connected
    expanding: $primary_hostname
    result: mail.foo.bar
    SMTP<< 220 mout.foo.bar ESMTP Exim 4.80 Ubuntu Thu, 07 Nov 2013 22:19:05 +0100
    SMTP>> EHLO mail.foo.bar
    SMTP<< 250-mout.foo.bar Hello mail.foo.bar [__.___.___.__]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-STARTTLS
            250 HELP
    SMTP>> STARTTLS
    SMTP<< 220 TLS go ahead
    expanding: $host
    result: mout.foo.bar
    expanding: abc.foo.bar
    result: abc.foo.bar
    condition: eq{$host}{abc.foo.bar}
    result: false
    expanding: /etc/exim4/mout.foo.bar-crt.pem
    result: /etc/exim4/mout.foo.bar-crt.pem
    skipping: result is not used
    failed to expand: ${if eq{$host}{abc.foo.bar}{/etc/exim4/mout.foo.bar-crt.pem}fail}
    error message: "if" failed and "fail" requested
    failure was forced
    LOG: MAIN
    TLS error on connection to mout.foo.bar [78.47.187.30] (certificate verification failed): invalid
    LOG: MAIN
    == hs@??? R=smarthost T=remote_smtp defer (-37): failure while setting up TLS session



Any idea anybody?

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-