Hi,
John Smith <j0hnsm1th@???> (Mi 14 Jun 2017 07:41:03 CEST):
> Hello Heiko,
>
> When I used exim-gencert, I set the FQDN name of the Exim server in the
> field "Server name (eg. ssl.domain.tld; required!!!) [])". So here I
> think it's good.
I do not known exim-gencert, but from having a short look at it, it
seems to generate a self-signed certificate.
> With the default Thunderbird detection, I get : SMTP with port 25 and
> no TLS... If I confirm this for the account, then as you said, there is
> a certificate warning :/
Ooops? NO TLS *and* a certificate warning? What warning are you talking
about? Warning from TB or warning in the Exim logs?
> So it comes because it's a self signed certificate ? No way to generate
> a true certificate for LAN network ? That's why I asked about
> LetsEncrypt in my previous mail.
Exim does not care about the certificate is uses as a server. If you
created a certificate using exim-gencert and install it in your server
setup, Exim will start using it, completly independend on the name you
entered when creating the cert.
TB, as a client, connects to your server and asks for the certificate.
After doing this, TB wants to verify the certificate. I *think*, TB
insists on
- successful verification via the trust chain, from the certificate
up to a certificate, TB has in its trust store.
If you use self-signed certs, you can import the self-signed cert
(the one, Exim uses as a server) into your TB trust store
- having a common name or subject alternative name matching the
hostname, TB connects to (the name from TB's settings dialog)
To ease the things, I'd use a FQDN in the TB settings, and take care
that this name always resolves to the address of my Exim
I get the feeling, there's some confusion about certs on client, certs
on server, trust chain, CA, and so on.
> Ok, I will dig this morning with tcpdump.
And? Can you share the dump? (the output from tcpdump -A could be
helpful)
--
Heiko
