Re: [exim] Certificate validation failed

Góra strony
Delete this message
Reply to this message
Autor: Dominik Vogt
Data:  
Dla: exim-users
CC: Andreas Metzler
Temat: Re: [exim] Certificate validation failed
On Sat, Oct 30, 2021 at 08:07:02AM +0200, Andreas Metzler via Exim-users wrote:
>
> If a host is in tls_verify_hosts and hosts_try_tls but not in
> hosts_require_tls exim will fall back to cleartext.


The Debian-11/Devuan-4 defaults for "SMARTHOST for outgoing main,
fetchmail for incoming mail" are what caused this:

.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif

.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.endif

  .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
    REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
  .endif
  .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
    hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  .endif


No idea to what values of the upper case variables are in the
first place. Are they defined at compile time; is there a way to
look them up, other than from the Debian src package?

> @original submitter:
> * Use a certiticate that verifyable without client-side changes., e.g. setup
> DANE on the server and/or use e.g. a letsencrypt cert.


It's not my server, but the colleague says it supports DANE. I
may look into that later.

> * Give client-side exim a way to verify the cert by adding the cert to
> the trusted list.


Thanks. That works.

> * Modify the tls_verify_hosts setting.


There's no such setting in /var/lib/exim4/config.autogenerated.

Ciao

Dominik ^_^ ^_^

--

Dominik Vogt