[exim] Certificate name mismatch over VPN

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Alain D D Williams
Date:  
À: exim-users
Sujet: [exim] Certificate name mismatch over VPN
I have 2 machines that are on a self hosts VPN, call them B and M.
Both machines are visible on the Internet.

When B wants to send email to M it will route it over the VPN rather than
sending it to M's public Internet address.

freshmint.phcomp.co.uk is M's public Internet name
mint-vpn.phcomp.co.uk is M's VPN name

I use certificates obtained from Let's Encrypt which is validates using the web
server that each machine has - this seems to work well. Let's encrypt can
validate the 'freshmint' name but not the 'mint-vpn' name ... that is only
visible through the VPN.

I get this error in B's log, it is complaining that M's certificate is using
the public name, not the VPN name:

[78.32.209.33] SSL verify error: certificate name mismatch: DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk"

I could generate a certificate that is for 'mint-vpn' without much problem.

My question

How to I get exim on M to present the 'mint-vpn' certificate to
connections that come over the VPN ?

Presumably I would need to do something like this:
tls_certificate = /etc/exim/mint-vpn.crt
tls_privatekey = /etc/exim/mint-vpn.key

But where ? What condition could I use ?


The other way would be to not advertise TLS over my VPN with something like:

tls_advertise_hosts = ! 10.200.201.0/24


Thanks in advance

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>