Re: [exim] TLS verify

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMJeremy Harris at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Always Learning
Date:  
To: Exim
Subject: Re: [exim] TLS verify

On Mon, 2015-08-03 at 14:29 +0100, Mike Cardwell wrote:

> I have an SMTP transport which looks like this:
> 
> remote_smtp:
>     driver                  = smtp
>     tls_verify_certificates = /etc/ssl/certs/
>     tls_try_verify_hosts    = *
>     tls_verify_hosts        = snake.grepular.com : flan.grepular.com
>     hosts_require_tls       = snake.grepular.com : flan.grepular.com

>
> When I send an email to an address that isn't hosted on
> "snake.grepular.com" or "flan.grepular.com" and that host uses a self
> signed certificate, it fails to verify and then falls back to using
> a plain text connection. For example:
>
> 2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj SSL verify error: depth=0 error=self signed certificate cert=/C=EU/ST=European Union/L=Europa/O=U226.com/OU=Network Operations/CN=m2.u226.com/emailAddress=www.query@gmail.com
> 2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS error on connection to m2.u22.net [95.172.15.115] (SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
> 2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS session failure: delivering unencrypted to m2.u22.net [95.172.15.115] (not in hosts_require_tls)
>
> Have I misunderstood something about how tls_try_verify_hosts is
> supposed to work? I'm using Exim 4.84 with OpenSSL.

The self-signed certificate's server no longer has an A record. The MTA
identify was changed some months ago.

Other mails arrive 'normally'. Examples: 

-----------------------------------------------
Received: from flan.grepular.com ([198.211.125.252]:47379) by m2.u22.net
        with esmtp (Exim 4.63) (envelope-from <zzzzzzz@zzzzzzzz>) id
        1ZMFeU-00013U-MZ for zzzzz@zzzzz; Mon, 03 Aug 2015 14:19:38
+0100
------------------------------------
Received: from hummus.csx.cam.ac.uk ([131.111.8.88]:38061) by m2.u22.net
        with esmtps (TLSv1:RC4-SHA:128) (Exim 4.63) (envelope-from
        <exim-users-bounces+zzzzzzzz>) id 1ZMFol-00013q-11 for
        zzzzz@zzzzzzz; Mon, 03 Aug 2015 14:30:15 +0100
------------------------------------
Received: from cluster-f.mailcontrol.com ([85.115.62.190]:53168) by
        m2.u22.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63)
(envelope-from
        <zzzzzzzzzzz>) id 1ZMCPk-0000qv-Sz for zzzzzzzzzz; Mon,
        03 Aug 2015 10:52:12 +0100
-----------------------------------------------


Logwatch shows

2015-08-01 16:38:58 TLS error on connection from flan.grepular.com
[198.211.125.252]:38235 (SSL_accept): error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: 1 Time(s)


--
Regards, 

Paul.
England, EU.      England's place is in the European Union.



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] TLS verifyRe: [exim] TLS verify->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)