[exim] TLS verify

Góra strony
Delete this message
Reply to this message
Autor: Mike Cardwell
Data:  
Dla: exim-users
Temat: [exim] TLS verify
I have an SMTP transport which looks like this:

remote_smtp:
    driver                  = smtp
    tls_verify_certificates = /etc/ssl/certs/
    tls_try_verify_hosts    = *
    tls_verify_hosts        = snake.grepular.com : flan.grepular.com
    hosts_require_tls       = snake.grepular.com : flan.grepular.com


When I send an email to an address that isn't hosted on
"snake.grepular.com" or "flan.grepular.com" and that host uses a self
signed certificate, it fails to verify and then falls back to using
a plain text connection. For example:

2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj SSL verify error: depth=0 error=self signed certificate cert=/C=EU/ST=European Union/L=Europa/O=U226.com/OU=Network Operations/CN=m2.u226.com/emailAddress=www.query@gmail.com
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS error on connection to m2.u22.net [95.172.15.115] (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS session failure: delivering unencrypted to m2.u22.net [95.172.15.115] (not in hosts_require_tls)

Have I misunderstood something about how tls_try_verify_hosts is
supposed to work? I'm using Exim 4.84 with OpenSSL.

Regards,

Mike

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4


* Want to hire me? Currently available for full-time and contracts
* https://hireme.grepular.com <- More info here