Hello,
I'm using Exim 4.80 on a decent Ubuntu as a "client".
The Exim client should use TLS whenever possible. For a small collection
of hosts it should additionally insinst in successful certificate
verification.
My exim.conf
…
CF = /etc/exim4
…
begin transports
remote_smtp:
driver = smtp
hosts_require_tls = mout.foo.bar
tls_verify_certificate = ${if eq{$host}{mout.foo.bar}{CF/mout.foo.bar-crt.pem}fail}
The spec.txt states:
All the TLS options in the smtp transport are expanded before use, with $host
and $host_address containing the name and address of the server to which the
client is connected. Forced failure of an expansion causes Exim to behave as if
the relevant option were unset.
If my above setting is right, the expansion of ${if …} should result in
a forced failure for every host, except the mout.foo.bar. This in turn
should make the tls_verify_certificate option unset. If this option is
unset, no verification should take place.
If I remove the tls_verify_certificate option, Exim behaves as expected,
it can't verify the certificate, BUT it insisist at least on encryption.
If I use the above configuration, the verification is attempted, always.
But this is not what I want.
For furthere information some debug output:
Exim version 4.80 uid=0 gid=0 pid=1762 D=101
…
delivering 1VeWyM-0000SG-AD (queue run pid 1762)
Connecting to mout.foo.bar [__.__.___.__]:25 ... connected
expanding: $primary_hostname
result: mail.foo.bar
SMTP<< 220 mout.foo.bar ESMTP Exim 4.80 Ubuntu Thu, 07 Nov 2013 22:19:05 +0100
SMTP>> EHLO mail.foo.bar
SMTP<< 250-mout.foo.bar Hello mail.foo.bar [__.___.___.__]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
expanding: $host
result: mout.foo.bar
expanding: abc.foo.bar
result: abc.foo.bar
condition: eq{$host}{abc.foo.bar}
result: false
expanding: /etc/exim4/mout.foo.bar-crt.pem
result: /etc/exim4/mout.foo.bar-crt.pem
skipping: result is not used
failed to expand: ${if eq{$host}{abc.foo.bar}{/etc/exim4/mout.foo.bar-crt.pem}fail}
error message: "if" failed and "fail" requested
failure was forced
LOG: MAIN
TLS error on connection to mout.foo.bar [78.47.187.30] (certificate verification failed): invalid
LOG: MAIN
== hs@??? R=smarthost T=remote_smtp defer (-37): failure while setting up TLS session
Any idea anybody?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
gnupg fingerprint: 9288 F17D BBF9 9625 5ABC 285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B)-
