Re: [exim] Cert Verification CV=no

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Cert Verification CV=no
On 17/06/16 09:19, Rob Gunther wrote:
> I will work on getting a correct certificate, does anyone know a way as the
> sender to verify that I have my new certificate installed and working
> correctly?
>
> I guess I would need to send mail somewhere.


If you care enough, set up a receiver and send to it, watching
its log. Openssl Exim builds, at least, are quite verbose in certificate
error reporting (I'm considering turning it down a bit).

To dig deeper, you can use Events and custom ACL snippets to log
extracted fields from the certificate chain.

Debug output may also be of interest.

> Does the certificate need to match the hostname, or can I use a wildcard
> cert?


Whether that is checked at all depends on the SSL library versions.
More recent ones do, (but it's an application decision,
so it will always be destination-dependent). A (limited) wildcard
name ought to be acceptable - certainly it is for Exim when verifying
certificate names.

Exim added name-checks as Experimental in 4.83, moving to
mainline (default-enabled) in 4.85. The option controlling
it in the smtp transport is "tls_verify_cert_hostnames".
--
Cheers,
Jeremy