[exim] Re: Fixing or disabling TLS for internal network host…

Página Inicial
Esta mensagem é parte da seguinte discussão:
MÁrvore completa da discussão ordenada por data
MViktor Dukhovni via Exim-users em <-
MViktor Dukhovni via Exim-users em ->
Delete this message
Reply to this message
Autor: AC
Data:  
Para: exim-users
Assunto: [exim] Re: Fixing or disabling TLS for internal network hosts
On 2023-10-07 21:44, Viktor Dukhovni via Exim-users wrote:
> On Sat, Oct 07, 2023 at 08:52:24PM -0700, AC via Exim-users wrote:
>
>> The error message on the main server is:
>> TLS error on connection from [host] (recv): A TLS fatal alert has been
>> received.: Certificate is bad
>
> You've misunderstood the message. TLS "alerts" are errors reported to
> the local TLS endpoint by the remote peer endpoint (in this case the
> SMTP client). So the real problem is not with the clients' self-signed
> certificates, but rather that the clients are unable to verify the
> server certificate.
>
> Perhaps the clients don't have the right set of trusted CAs configured
> with which to verify the server certificate. Or they know the server
> under a different name than the one in the certificate.
>
>> I have the advertise set to * for incoming mail from the public side but the
>> rest are empty. How would I alter this to not advertise TLS to the internal
>> hosts and still advertise to all other hosts?
>>
>
> This is not really the right question. There's no reason to disable
> TLS. The better options are:
> 
>      - Enable the clients to verify the server certificate validity and
>        matching hostname.

> 
>      - Configure the client TLS settings to do TLS *without*
>        authentication, just ignore the server certificate and
>        protect the traffic against passive monitoring only.

>

Technically I don't need the clients to use TLS at all, I'm not worried
about internal traffic so I'm fine with disabling that on the clients.
Which option on the client disables asking for a TLS connection?

The server is also self-signed so that would be why the clients can't
verify the certificate.

As for misunderstanding the error, perhaps it could be modified to
better explain which side is causing the message since I obviously
assumed that a message in the server logs indicated the server had a
problem absent any other identifying information.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Esta mensagem foi enviada para as seguintes listas:
Exim-users
Informações da lista | Mensagens recentes		<-[exim] Re: Fixing or disabling TLS for internal network hosts[exim] Re: Fixing or disabling TLS for internal network hosts->
Tahini and Hummus and Cumin Development Archives administrado por cumin AdminsLurker (versão 2.3)