Re: [exim] Enable TLS with basic Exim4 config

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Enable TLS with basic Exim4 config
Hi,

John Smith <j0hnsm1th@???> (Mi 14 Jun 2017 07:41:03 CEST):
>    Hello Heiko,

>
>    When I used exim-gencert, I set the FQDN name of the Exim server in the
>    field "Server name (eg. ssl.domain.tld; required!!!) [])". So here I
>    think it's good.


I do not known exim-gencert, but from having a short look at it, it
seems to generate a self-signed certificate.

>    With the default Thunderbird detection, I get : SMTP with port 25 and
>    no TLS... If I confirm this for the account, then as you said, there is
>    a certificate warning :/


Ooops? NO TLS *and* a certificate warning? What warning are you talking
about? Warning from TB or warning in the Exim logs?

>    So it comes because it's a self signed certificate ? No way to generate
>    a true certificate for LAN network ? That's why I asked about
>    LetsEncrypt in my previous mail.


Exim does not care about the certificate is uses as a server. If you
created a certificate using exim-gencert and install it in your server
setup, Exim will start using it, completly independend on the name you
entered when creating the cert.

TB, as a client, connects to your server and asks for the certificate.
After doing this, TB wants to verify the certificate. I *think*, TB
insists on

    - successful verification via the trust chain, from the certificate
      up to a certificate, TB has in its trust store.


      If you use self-signed certs, you can import the self-signed cert
      (the one, Exim uses as a server) into your TB trust store


    - having a common name or subject alternative name matching the
      hostname, TB connects to (the name from TB's settings dialog)


      To ease the things, I'd use a FQDN in the TB settings, and take care
      that this name always resolves to the address of my Exim



I get the feeling, there's some confusion about certs on client, certs
on server, trust chain, CA, and so on.

>    Ok, I will dig this morning with tcpdump.


And? Can you share the dump? (the output from tcpdump -A could be
helpful)

--
Heiko