[exim] Does Exim presents its certificate when acting as cli…

Top Page
Delete this message
Reply to this message
Author: Antoine
Date:  
To: exim-users
Subject: [exim] Does Exim presents its certificate when acting as client?
Hello,

I'm unable to make exim provide its certificate when it connects to
another server.

I have two exim (4.92) servers (Debian) -- one is my secondary mx
(Source) which sends mails to my primary mx (Destination). I want them
to mutually authenticate themselves (preferably using DANE).
Both servers have TLS configured (STARTTLS) using GnuTLS and shows
"green" in various smtp tls checking tools.

When S sends a mail to D, I see a "CV=yes" in S logs (S validated the
certificate of D), but "CV=no" in the logs of D (and $tls_in_peerdn is
not defined).
When I connect from S to D using swaks and force the use of exims'
certificate with --tls-cert, D sees it and validates.
D also sees and validates others certificates, from gmail for example,
or from my thunderbird when I smtp connects to D.
If I require the use of certificate (tls_verify_hosts) on D instead of
just "trying" it, the messages from S does not pass.

With DANE configured (both servers are "green" in
https://dane.sys4.de/), when I send a mail from S to D, it shows
"CV=dane" on S and "CV=no" on D.

The config on both servers is:

tls_advertise_hosts = *
tls_require_ciphers = ${if
=={$received_port}{25}{NORMAL:%COMPAT}{SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2}}
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt  // Debian
bundle
tls_try_verify_hosts = *

In transports I have:
  hosts_require_tls = S:D
  tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt

I also have an ACL that tries to
  verify = certificate
and logs the value of $tls_in_peerdn

So my question: is it possible to force exim to present its certificate
when it connects to another server as client?
And, if yes, what I'm doing wrong?
Can I validate the S's certificate on D with DANE?

Thanks for your advice!

A.