Re: [exim] Example on how to make working self signed cert w…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Heiko Schlittermann
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Example on how to make working self signed cert with GnuTLS and exim 4.80?
Hi Marc,

Marc MERLIN <marc_news@???> (Do 26 Dez 2013 23:03:07 CET):
> I was doing fine with openssl, but since I've switched to GnuTLS with
> exim4, I just never got it to work for server certs.
>
> In my previously working exim4.conf (for TLS with openssl), I have:
> CERTNAME=/etc/exim4/exim.crt
> KEYNAME=/etc/exim4/exim.key


I suppose these lines are macros. But where are these macros used?

>
> I get offered TLS, but it's rejected with:
> 13:32:57 27723 SMTP<< STARTTLS
> 13:32:57 27723 using ACL "check_tls"
> 13:32:57 27723 processing "accept"
> 13:32:57 27723 accept: condition test succeeded in ACL "check_tls"
> 13:32:57 27723 initialising GnuTLS as a server
> 13:32:57 27723 GnuTLS global init required.
> 13:32:57 27723 initialising GnuTLS server session
> 13:32:57 27723 Expanding various TLS configuration options for session credentials.
> 13:32:57 27723 LOG: MAIN
> 13:32:57 27723 TLS error on connection from bgl93-4-82-235-219-215.fbx.proxad.net (gandalfthegreat.merlins.org) [82.235.219.215]:39034
> I=[209.81.13.136]:587 (no TLS server certificate is specified)
> 13:32:57 27723 SMTP>> 454 TLS currently unavailable
>
> The error message doesn't seem correct since the cert files are specified and present.


How do you know?
Try

    exim -bP 'tls_certificate tls_privatekey'


> I'm going to assume GnuTLS doesn't like them and won't tell me why.


But the message (cert not found) sounds not that way.

(But, anyway, once I had problems with certs GnuTLS didn't like. These certs used an
MD5 signature.)

> I've tried multiple howtos for making new self signed TLS certs, but none have
> generated a working file for exim.


I do not see any reason to generate new certs (except for the reason
above.)

> Can someone point me to a currently working way to make a self signed cert with exim4?



    openssl req -x509 -new -keyout key.pem -out crt.pem -nodes 


And then, in the exim.conf

    tls_certificate = crt.pem
    tls_privatekey = key.pem


Double check the permissions. Exim reads the cert and key when the
client connects, that is, as the Exim user, not as root!

(But I think, if file permissions are your problem, the error message is
about permissions. How it is with directory permissions, I'm not sure.)


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-