Re: [exim] present client certificate on server->server conn…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] present client certificate on server->server connection
Adrian Zaugg via Exim-users <exim-users@???> (So 03 Jun 2018 02:16:02 CEST):
>
> After some testing I found:
>
> tls_certificate and tls_privatekey in the transport section and in the
> main configuration do not behave the same what concerns file access, at
> least in 4.84_2:
>
> In opposition to the transport section in the main configuration it
> - works with symlinks along the way
> - works with certs/keys outside exim's confdir


In both sections it should behave the same way and I'm not aware of
anything that e.g. deals with Exim's config directory there.

In both cases the Exim runtime user (Debian-exim on Debian based
systems) should be used to access the files, and it should not matter
if the filenames referenced in the configuration are symbolic links or
plain files.

Did you do the check I suggested?

    cd /
    sudo -u Debian-exim openssl x509 -in <path to the cert> -noout -text
    sudo -u Debian-exim openssl rsa -in <path to the key> -noout -text


??

> Both provoke the error "Error while reading file." for the option
> appearing in the smtp transport.


Do you use the 'user' option in your smtp transport that uses the
certificates.

> (Furthermore checktls.com's TestSender page does not recognize a client
> cert properly, it seems to always write "Subject Name: undefined").


This leads me to the above test (using openssl to check
the certs) again.

And, are your certs issued by a known (public) CA? I can imagine, that
checktls.com only accepts certs from a valid CA. Do you need to send the
intermediate certs? If you've put them into the cert file, in which
order did you put them?

Please note, the above paragraph contains more than 1 question :)

> Is this behaviour the same in 4.91+? Is there a reason for the option to
> behave differently?


If they behave differently, then there is no reason. I can check it, but
please, first, answer the above questions and run the tests I suggested.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -