[exim] Re: Fixing or disabling TLS for internal network host…

Pàgina inicial
Delete this message
Reply to this message
Autor: Viktor Dukhovni via Exim-users
Data:  
A: exim-users
Assumpte: [exim] Re: Fixing or disabling TLS for internal network hosts
On Sat, Oct 07, 2023 at 08:52:24PM -0700, AC via Exim-users wrote:

> The error message on the main server is:
> TLS error on connection from [host] (recv): A TLS fatal alert has been
> received.: Certificate is bad


You've misunderstood the message. TLS "alerts" are errors reported to
the local TLS endpoint by the remote peer endpoint (in this case the
SMTP client). So the real problem is not with the clients' self-signed
certificates, but rather that the clients are unable to verify the
server certificate.

Perhaps the clients don't have the right set of trusted CAs configured
with which to verify the server certificate. Or they know the server
under a different name than the one in the certificate.

> I have the advertise set to * for incoming mail from the public side but the
> rest are empty. How would I alter this to not advertise TLS to the internal
> hosts and still advertise to all other hosts?
>


This is not really the right question. There's no reason to disable
TLS. The better options are:

    - Enable the clients to verify the server certificate validity and
      matching hostname.


    - Configure the client TLS settings to do TLS *without*
      authentication, just ignore the server certificate and
      protect the traffic against passive monitoring only.


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/