I have 2 machines that are on a self hosts VPN, call them B and M.
Both machines are visible on the Internet.
When B wants to send email to M it will route it over the VPN rather than
sending it to M's public Internet address.
freshmint.phcomp.co.uk is M's public Internet name
mint-vpn.phcomp.co.uk is M's VPN name
I use certificates obtained from Let's Encrypt which is validates using the web
server that each machine has - this seems to work well. Let's encrypt can
validate the 'freshmint' name but not the 'mint-vpn' name ... that is only
visible through the VPN.
I get this error in B's log, it is complaining that M's certificate is using
the public name, not the VPN name:
[78.32.209.33] SSL verify error: certificate name mismatch: DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk"
I could generate a certificate that is for 'mint-vpn' without much problem.
My question
How to I get exim on M to present the 'mint-vpn' certificate to
connections that come over the VPN ?
Presumably I would need to do something like this:
tls_certificate = /etc/exim/mint-vpn.crt
tls_privatekey = /etc/exim/mint-vpn.key
But where ? What condition could I use ?
The other way would be to not advertise TLS over my VPN with something like:
tls_advertise_hosts = ! 10.200.201.0/24
Thanks in advance
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256
https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information:
https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>
