Re: [exim] My self signed cert seems to fail with american e…

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: Andreas Metzler
CC: exim-users
Subject: Re: [exim] My self signed cert seems to fail with american express
On Thu, Feb 20, 2014 at 07:23:19PM +0100, Andreas Metzler wrote:
> Marc MERLIN <marc_exim4@???> wrote:
> > Two issues.
>
> > With exim 4.80 on mail1.merlins.org, I have TLS Email working pretty
> > much all the time (as far as I can tell), but I just noticed that I
> > was not getting some Emails from american express.
> [...]
> > You are welcome to spam my Email directly to see what cert and encryption
> > you get out of it, although I kind of know it already works with exim,
> > gmail, and more, so the problem must be less obvious than that.
> [...]
>
> Two obvious things:
> ------------------------------------
> *prompt* gnutls-cli -s -p 25 mail1.merlins.org
> [...]
> 220 TLS go ahead
> *** Starting TLS handshake
> - Ephemeral Diffie-Hellman parameters
> - Using prime: 2048 bits
> - Secret key: 2046 bits
> - Peer's public key: 2045 bits
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
> - subject `CN=merlins.org,O=Linux Geeks Inc,L=Silicon Valley,ST=CA,C=US,DC=merlins.org', issuer `CN=merlins.org,O=Linux Geeks Inc,L=Silicon Valley,ST=CA,C=US,DC=merlins.org', RSA key 2432 bits, signed using RSA-SHA1, activated `2013-12-26 21:52:08 UTC', expires `2014-01-25 21:52:08 UTC', SHA-1 fingerprint `84548240169ce156ca56b2730726ae1b1cd4e799'
> - The hostname in the certificate does NOT match 'mail1.merlins.org'
> ------------------------------------
>
> ------------------------------------
> *prompt* openssl s_client -starttls smtp -connect mail1.merlins.org:25
> [...]
> verify error:num=10:certificate has expired
> notAfter=Jan 25 21:52:08 2014 GMT
> ------------------------------------


Thanks for catching that. Looks like when I was debugging my earlier
problem ssl problem a couple months back, I put the wrong cert back in place.

Out of curiosity, can you do a star certificate (*.merlins.org) for smtp
servers, or you're better off having one for each server?

Thanks
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/