I have an SMTP transport which looks like this:
remote_smtp:
driver = smtp
tls_verify_certificates = /etc/ssl/certs/
tls_try_verify_hosts = *
tls_verify_hosts = snake.grepular.com : flan.grepular.com
hosts_require_tls = snake.grepular.com : flan.grepular.com
When I send an email to an address that isn't hosted on
"snake.grepular.com" or "flan.grepular.com" and that host uses a self
signed certificate, it fails to verify and then falls back to using
a plain text connection. For example:
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj SSL verify error: depth=0 error=self signed certificate cert=/C=EU/ST=European Union/L=Europa/O=U226.com/OU=Network Operations/CN=m2.u226.com/emailAddress=
www.query@gmail.com
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS error on connection to m2.u22.net [95.172.15.115] (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS session failure: delivering unencrypted to m2.u22.net [95.172.15.115] (not in hosts_require_tls)
Have I misunderstood something about how tls_try_verify_hosts is
supposed to work? I'm using Exim 4.84 with OpenSSL.
Regards,
Mike
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
* Want to hire me? Currently available for full-time and contracts
*
https://hireme.grepular.com <- More info here
