Re: [exim] present client certificate on server->server conn…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] present client certificate on server->server connection
Hi,
Adrian Zaugg via Exim-users <exim-users@???> (Fr 01 Jun 2018 02:05:04 CEST):
>
> I try to set tls_certificate and tls_privatekey in remote smtp transport
> in order to instruct exim to present a client certificate on a
> connection made to another server. I get an error saying:
>
> 2018-06-01 00:22:34 1fOVxp-0005XP-S0 TLS error on connection to
> ts6.checktls.com [104.131.23.181] (cert/key setup:
> cert=/etc/ssl/letsencrypt/ente.limmat.ch/fullchain.pem
> key=/etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem): Error while
> reading file.


> I tried as user Debian-exim to cat both files which worked. I tried to


Did you try to cat the full path with a working directory '/':

    cd /
    sudo -u Debian-exim cat /etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem


? I guess, you've restrictions on some directory down to the file
Exim needs to read. All dirs need to have at least x-Permissions for the
Exim runtime user (Debian-exim in your case).


> reference a copy in /etc/exim4 which made the error go away, but remote
> servers do not get to see my client cert – at least this is what
> checktls.com Test Sender TLS reports:



We are at 4.91, I'm not sure, if Devuan does backport the security
fixes. Please check.
>
> What am I missing?


The certificate/key you use as a server are configured in the
main options tls_certificate and tls_privatekey. These options _do not
apply_ to the transport, where Exim acts as a client.
To have Exim use a cert as a client, you need to set the transport
options (having the same name).


    begin transpors


        remote_smtp:
            driver = smtp
            tls_certificate = …
            tls_privatekey = …


PS: I do not know if and how your ACME client supports "hooks", actions
that are executed after getting a fresh certificate. I use "dehydrated"
as ACME client and do the following:

[once at setup]
    mkdir /var/lib/exim4
    touch /var/lib/exim4/ssl.pem
    chown Debian-exim: /var/lib/exim4/ssl.pem


[hook, executed after getting the cert]
    cat privkey.pem fullchain.pem > /var/lib/exim4/ssl.pem


Yes, just into one file. Read the doc about tls_certificate and
tls_privatekey, the latter doesn't need to be set if the file referenced
by tls_certificate contains the key and the cert. (order does not
matter).

And, no need to restart/reload Exim, as the certs are accessed on
demand.

HTH.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -