Re: [exim] Enable TLS with basic Exim4 config

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Temat: Re: [exim] Enable TLS with basic Exim4 config
John Smith <j0hnsm1th@???> (Mi 14 Jun 2017 01:08:15 CEST):
>    Hello,

>
>    After some questions about the config files with a Debian system, I
>    continued playing with Exim and the TLS!
>    I think it's on the good way because now I get "STARTTLS" from telnet
>    and get some certificates answer... But client like Thunderbird can't
>    connect using TLS... :(

>
>    So now... I'm here and when I launch swaks to test the TLS (swaks -a
>    -tls -q HELO -s localhost -au user -ap '<>'), I got :

>
>    === Trying localhost:25...
>    === Connected to localhost.


>     ~> QUIT
>    <~  221 mail closing connection
>    === Connection closed with remote host.


Looks good.

>    Here, I saw that AUTH "PLAIN" and "LOGIN" seems to be availabe after
>    getting the TLS started.


Yes. Intentionally.

>    Then, asking the server about certificates using openssl command
>    (openssl s_client -connect mail.domain.lan:465) showed :

>
>    - One certificate returned with the "error" (warning ?) : verify
>    error:num=18:self signed certificate


>    No client certificate CA names sent
>    ---


>
>    So... Did I have to fix the error "No client certificate CA names sent"
>    ? Maybe by using a sign process with LetsEncrypt or something else ?


No, the client isn't obligated to send a certificate.
But TB may be uncomfortable with your self signed certificate.
Mail clients typically want to see a certificate with a matching
CN or SAN (matching the host's name they connect to).

You can debug it using tcpdump, to see if TB at least tries to use
TLS


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -