Hello,
I'm unable to make exim provide its certificate when it connects to
another server.
I have two exim (4.92) servers (Debian) -- one is my secondary mx
(Source) which sends mails to my primary mx (Destination). I want them
to mutually authenticate themselves (preferably using DANE).
Both servers have TLS configured (STARTTLS) using GnuTLS and shows
"green" in various smtp tls checking tools.
When S sends a mail to D, I see a "CV=yes" in S logs (S validated the
certificate of D), but "CV=no" in the logs of D (and $tls_in_peerdn is
not defined).
When I connect from S to D using swaks and force the use of exims'
certificate with --tls-cert, D sees it and validates.
D also sees and validates others certificates, from gmail for example,
or from my thunderbird when I smtp connects to D.
If I require the use of certificate (tls_verify_hosts) on D instead of
just "trying" it, the messages from S does not pass.
With DANE configured (both servers are "green" in
https://dane.sys4.de/), when I send a mail from S to D, it shows
"CV=dane" on S and "CV=no" on D.
The config on both servers is:
tls_advertise_hosts = *
tls_require_ciphers = ${if
=={$received_port}{25}{NORMAL:%COMPAT}{SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2}}
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt // Debian
bundle
tls_try_verify_hosts = *
In transports I have:
hosts_require_tls = S:D
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
I also have an ACL that tries to
verify = certificate
and logs the value of $tls_in_peerdn
So my question: is it possible to force exim to present its certificate
when it connects to another server as client?
And, if yes, what I'm doing wrong?
Can I validate the S's certificate on D with DANE?
Thanks for your advice!
A.
