Re: [exim] TLS verify

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] TLS verify
On Mon, Aug 03, 2015 at 04:55:08PM +0100, Mike Cardwell wrote:

> Well, this is my smtp transport:
>
> remote_smtp:
>     driver                  = smtp
>     tls_verify_certificates = /etc/ssl/certs/
>     tls_try_verify_hosts    = *
>     tls_verify_hosts        = snake.grepular.com : flan.grepular.com
>     hosts_require_tls       = snake.grepular.com : flan.grepular.com


Since opportunistic TLS will be used even without any attempts at
authentication, see what happens if you drop the "tls_try_verify_hosts".
Why bother, if you send either way?

> Which to me looks like it shouldn't be causing this problem. I have
> a bunch of other TLS config, but it's in the global scope rather
> than in a transport, so *should* only apply to incoming connections:
>
> tls_advertise_hosts     = *
> tls_on_connect_ports    = 465
> tls_certificate         = /etc/ssl/Exim_$received_port/ssl.crt_inc_chain
> tls_privatekey          = /etc/ssl/Exim_$received_port/ssl.key
> tls_dhparam             = /etc/exim4/dh-2048.pem
> tls_verify_certificates = /etc/ssl/certs/
> tls_try_verify_hosts    = *
> tls_require_ciphers     = DEFAULT:!EXPORT
> openssl_options         = +no_compression


I guess also remove "tls_try_verify_hosts" from the global settings.
If the problem persists, then the issue is elsewhere. If this
fixes it, then perhaps tls_try_verify_hosts is more strict than
you expect.

-- 
    Viktor.