Re: [exim] SSL wildcard certificate intermediate CA weirdnes…

Top Page

Reply to this message
Author: Christian Balzer
Date:  
To: Exim-users
CC: Jeremy Harris
Subject: Re: [exim] SSL wildcard certificate intermediate CA weirdness

Hello,

On Fri, 20 Dec 2019 00:38:29 +0000 Jeremy Harris via Exim-users wrote:

> On 20/12/2019 00:15, Christian Balzer via Exim-users wrote:
> > Kinda implied by the VIP, pacemaker bits. :)
>
> You're running a loadbalancer for smtp? When a couple of
> MX's does the same job with far fewer moving parts?


I assumed the SSL certificate would have been a strong hint that this
is not for MXs, but for Exim in the MSA role, i.e. the bit people configure
in their clients for outgoing mail server.

And these indeed tend to be behind load balancers (production) or at the
very least HA VIPs (as in this test case).

Certificates on the MXs are a "in my copious spare time, nice to have"
item.

> I've never understood why anyone would do that.
> Short on public IP allocations?
>

Not really (he says looking at the core /17). ^o^

That said, when you ask people these days for hundreds of v4 IPs they tend
to question if that's really needed.

> > The same VIP was used for testing with HTTPS (apache), IMAPS and POP3S
> > (dovecot) w/o issues so the problem is not systemic and inherent to Exim
> > or more likely the SSL libraries it uses.
>
> So, what TLS libraries are being used? I assume your Exim is GnuTLS -
> but if you build your own, you could use OpenSSL or LibreSSL.


As I said, Debian Stretch 4.89. GnuTLS 3.5.8 (with patches) it seems.

Regards,

Christian
> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Rakuten Mobile Inc.