On 03/08/15 14:29, Mike Cardwell wrote:
> I have an SMTP transport which looks like this:
>
> remote_smtp:
> driver = smtp
> tls_verify_certificates = /etc/ssl/certs/
> tls_try_verify_hosts = *
> tls_verify_hosts = snake.grepular.com : flan.grepular.com
> hosts_require_tls = snake.grepular.com : flan.grepular.com
>
> When I send an email to an address that isn't hosted on
> "snake.grepular.com" or "flan.grepular.com" and that host uses a self
> signed certificate, it fails to verify and then falls back to using
> a plain text connection. For example:
>
> 2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj SSL verify error: depth=0 error=self signed certificate cert=/C=EU/ST=European Union/L=Europa/O=U226.com/OU=Network Operations/CN=m2.u226.com/emailAddress=www.query@gmail.com
> 2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS error on connection to m2.u22.net [95.172.15.115] (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
> 2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS session failure: delivering unencrypted to m2.u22.net [95.172.15.115] (not in hosts_require_tls)
>
> Have I misunderstood something about how tls_try_verify_hosts is
> supposed to work? I'm using Exim 4.84 with OpenSSL.
Testing with "-d+tls" might show useful detail. Any hint why the TLS
was dropped, beyond the cert-verify fail?
--
Cheers,
Jeremy