On Mon, Aug 03, 2015 at 04:55:08PM +0100, Mike Cardwell wrote:
> Well, this is my smtp transport:
>
> remote_smtp:
> driver = smtp
> tls_verify_certificates = /etc/ssl/certs/
> tls_try_verify_hosts = *
> tls_verify_hosts = snake.grepular.com : flan.grepular.com
> hosts_require_tls = snake.grepular.com : flan.grepular.com
Since opportunistic TLS will be used even without any attempts at
authentication, see what happens if you drop the "tls_try_verify_hosts".
Why bother, if you send either way?
> Which to me looks like it shouldn't be causing this problem. I have
> a bunch of other TLS config, but it's in the global scope rather
> than in a transport, so *should* only apply to incoming connections:
>
> tls_advertise_hosts = *
> tls_on_connect_ports = 465
> tls_certificate = /etc/ssl/Exim_$received_port/ssl.crt_inc_chain
> tls_privatekey = /etc/ssl/Exim_$received_port/ssl.key
> tls_dhparam = /etc/exim4/dh-2048.pem
> tls_verify_certificates = /etc/ssl/certs/
> tls_try_verify_hosts = *
> tls_require_ciphers = DEFAULT:!EXPORT
> openssl_options = +no_compression
I guess also remove "tls_try_verify_hosts" from the global settings.
If the problem persists, then the issue is elsewhere. If this
fixes it, then perhaps tls_try_verify_hosts is more strict than
you expect.
--
Viktor.