On Sun, Feb 02, 2020 at 08:50:03PM -0800, Ian Zimmerman via Exim-users wrote:
> On 2020-02-02 23:00, Viktor Dukhovni wrote:
>
> > And is the OpenSSL library that "/usr/bin/openssl" is linked with, the
> > same one as the one for Exim?
>
> I am quite sure it is, because I build exim myself. I cannot be 100%
> sure for debian packaged exim, but such a blunder would be completely
> out of character.
The idea is not to be "sure", but to actually check with "ldd".
> > Is the /etc/ssl/certs/ directory "hashed" (lots of funny
> > <hexdigits>.<smalldecimal> symlinks)?
>
> Yes.
Well, in that case perhaps Exim is not loading the default CA locations,
or there's some sort of file access control (SELinux? AppArmor? ...)
that's preventing Exim from reading the directory.
You'll have "strace" Exim and see what it is doing when it fails
to verify the peer chain.
Did you share the destination domain name at any point? Perhaps
its certificate chain really does have some sort of issue.
--
Viktor.