[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

exim4 SSL/TLS client: refusal to verify certificate

Hello list,

I'm trying to set up an Exim4 SMTP daemon which acts as a "proxy" server
for a few PCs. It does local deliveries, and forwards outgoing mail to an
external smarthost. That works pretty good now -- the only problem is the
SSL/TLS feature. I want the connection between my Exim and the smarthost
to use TLS, because that part is routed across the Internet.

Exim seems to use TLS (STARTTLS to be exact) when delivering mail. I have
enabled the "hosts_require_tls" feature. It does not however verify the
certificate of the remote host by default (happily sends passwords to
other machines, too, when I trick it via /etc/hosts).

Then I turned on the tls_verify_certificates feature. I grabbed the
certificate from the smarthost with the "openssl" cli utility, and saved
it to a PEM format file. Exim seems to understand this file format -- if I
use the two other file formats offered by "openssl", it complains about an
illegible file. With the PEM format file, I get the following log:

read response data: size=32
  SMTP<< 220 {mp009} Ready to start TLS
initializing GnuTLS as a client
read RSA and D-H parameters from file
initialized RSA and D-H parameters
no TLS client certificate is specified
verify certificates = /etc/exim4/tlscerts.out
initialized certificate stuff
initialized GnuTLS session
TLS certificate verification failed: peerdn=/C=DE/S=Bavaria/L=Munich/O=GMX GmbH/CN=mail.gmx.net
  TLS error on connection to mail.gmx.net []: certificate verification failed
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address=135166528 in hosts_require_tls? yes (matched "")
[reports failure, other blurbs...]

Certificate verification failed -- how can that be? I don't want Exim to
question my certificate file. It should just check if the remote host is
the same as it used to be.

"tlscerts.out" contains a single PEM certificate, which was copied from
exactly that host mail.gmx.net. Then "openssl" utility claims that this
certificate is valid when logging onto the SMTP host. I know Debian's Exim
is compiled against GnuTLS, not OpenSSL, but they're supposed to be
compatible, right?

My transport section:

	driver = smtp
	hosts_require_auth =
	hosts_require_tls =
	tls_verify_certificates = /etc/exim4/tlscerts.out

Any ideas? Sorry if that is an obvious question, but the Exim manuals
don't spend a lot of time explaining how this feature is supposed to work,
and Google wasn't too friendly either...

Best Regards,  | Wer Windows-Rechner ins Internet lässt,
 Sebastian     | braucht nicht über SWEN stänkern!
               | mailbox in "From" silently drops any mail > 20k

Reply to: