[exim] Re: Debug TLS/DANE problems

Góra strony
Delete this message
Reply to this message
Autor: Chris Siebenmann
Data:  
Dla: Wolfgang
CC: exim-users, Chris Siebenmann
Temat: [exim] Re: Debug TLS/DANE problems
> My goal is getting informations, which of the presented certs during
> the TLS handshake exim takes into account for verifing the DANE RR.
> Furthermore if exim compares hostname against CN or one of the
> additional SANs embedded in the cert.


You may want to try using an external tool (not Exim) to verify and
inspect the TLS certificate chain presented by the external mail server.
My favourite tool for this is 'certigo':
    https://github.com/square/certigo


A typical usage for this would be:
    certigo connect -v -t smtp --identity "your.host.name" remote.mail.server:smtp


Then you can see if certigo verifies the certificate chain and what key
usages the various TLS certificates involved specify (typically 'Server
Auth' and 'Client Auth' for the server's direct TLS certificate).

    - cks


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/