* on the Mon, Aug 03, 2015 at 02:56:11PM +0000, Viktor Dukhovni wrote:
>> 2015-08-01 16:38:58 TLS error on connection from flan.grepular.com
>> [198.211.125.252]:38235 (SSL_accept): error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: 1 Time(s)
>
> Consistent with the OPs report, his Exim SMTP client is terminating
> the SSL handshake when the peer's certificate fails to verify (in
> this case sending a fatal 'unknown ca' alert).
>
> So something in the OPs configuration seems to be making TLS
> authentication mandatory for various peers.
Well, this is my smtp transport:
remote_smtp:
driver = smtp
tls_verify_certificates = /etc/ssl/certs/
tls_try_verify_hosts = *
tls_verify_hosts = snake.grepular.com : flan.grepular.com
hosts_require_tls = snake.grepular.com : flan.grepular.com
Which to me looks like it shouldn't be causing this problem. I have
a bunch of other TLS config, but it's in the global scope rather
than in a transport, so *should* only apply to incoming connections:
tls_advertise_hosts = *
tls_on_connect_ports = 465
tls_certificate = /etc/ssl/Exim_$received_port/ssl.crt_inc_chain
tls_privatekey = /etc/ssl/Exim_$received_port/ssl.key
tls_dhparam = /etc/exim4/dh-2048.pem
tls_verify_certificates = /etc/ssl/certs/
tls_try_verify_hosts = *
tls_require_ciphers = DEFAULT:!EXPORT
openssl_options = +no_compression
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
* Want to hire me? Currently available for full-time and contracts
*
https://hireme.grepular.com <- More info here