[exim] Re: Debug TLS/DANE problems

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: [exim] Re: Debug TLS/DANE problems
On 02/07/2024 20:44, Wolfgang via Exim-users wrote:
> to debug, why the valid CERT is not accepted for a DANE verified outbound connection, I tried to
> enable debugging via ACL:
>
>> acl_smtp_starttls:
>>       accept
>>           message = TLS debug started
>>           logwrite = TLS debugging acl triggered
>>           control = debug
>>           control = debug/tag=.$sender_host_address
>>           control = debug/opts=-all+deliver+tls
>>           control = debug/trigger=now

>
>
> However I get not a single line of debug output,


If that's all you added, it's because you didn't actually define an
option called "acl_smtp_starttls" - only an ACL called that.


> When I however put those controls to "acl_log_write",


We don't know where (and when, during processing) your config arranges to have that
acl called. It's probably not a useful place for your needs.

I suggest you would be best doing this in an ACL called from the acl_smtp_connect
option. Note: option. Read the docs chapters on A) main-config options and
B) ACLs if that is not completely clear.


All that said, I don't think you'll learn anything new. As I said before, the error
comes from the GnuTLS library. That's *it* deciding to enforce the security
requirements of the certificates in play for the connection.
--
Cheers,
Jeremy

PS: https://exim.org/exim-html-current/doc/html/spec_html/


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/