Re: [exim] Ignoring SSL-Errors on self signed certificates

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] Ignoring SSL-Errors on self signed certificates
On Thu, Apr 14, 2016 at 09:58:40AM +0100, Jeremy Harris wrote:

> On 14/04/16 07:14, Luca Bertoncello wrote:
> > I have a Server with Exim on my Server and another Server with Exim
> > (4.87) that sends E-Mail using the first server as Relay.
>
> > this warning:
> >
> > SSL verify error: depth=0 error=self signed certificate
>
> Not quite clear on which server you're logging this,
>
> Have a look at the smtp-transport and
> main-section config options tls_verify_hosts and
> tls_try_verify_hosts; write a hostlist that excludes
> your other server.


In future versions of Exim it might be reasonable to not log detailed
chain verification errors when doing unauthenticated opportunistic
TLS, i.e., when it is OK to send in the clear or transmission
proceeds regardless of verification errors.

FWIW, in Postfix the only detail that's logged in such cases is a
one-word TLS verification status along with the protocol version
and cipher.

    * Anonymous - server used an certificateless ADH or AECDH cipher
                  suite.
    * Untrusted - server presented a certificate which did not chain
                  up to a configured trust-anchor.
    * Trusted   - server presented a certificate which did chain up
          to a configured trust-anchor.
    * Verified  - verification was required and the server chain was
          trusted and matched name or fingerprint checks.
          Detailed errors performing verification are logged
          only when verification is required.


-- 
    Viktor.