[exim] SSL wildcard certificate intermediate CA weirdness

Top Page

Reply to this message
Author: Christian Balzer
To: exim-users
Subject: [exim] SSL wildcard certificate intermediate CA weirdness


I'm testing a wildcard certificate (*.do.main) with all relevant mail
system components.
Unsurprisingly that works fine with https (webmail), including missing or
broken intermediate CA bits as the browsers are being "helpful".

Checking with "openssl s_client -showcerts -connect testmail.do.main:port"
(a VIP provided managed by pacemaker) this also pans out for dovecot on

With Exim (4.89 Debian) when connecting to testmail.do.main:465 only the
server (wildcard) certificate is returned, not the intermediate CA one.
However connecting to the 2 individual servers (smtp01 and 02.mail.do.main)
the full chain is returned and the verification succeeds.

I'm more than a bit baffled here, why would Exim ever NOT send both
certs to begin with?
There's nothing in the exim logs that differs for both cases other than
the IP address of course.

Setting up Thunderbird to use testmail.do.main:465 as SMTP server works
fine w/o any errors or requests for exceptions, so I'm not particular
worried about this, but clearly when testing with openssl one would like
to see successes in all cases.


Christian Balzer        Network/Systems Engineer                
chibi@???       Rakuten Mobile Inc.