exim4 SSL/TLS client: refusal to verify certificate

To: debian-user@lists.debian.org
Subject: exim4 SSL/TLS client: refusal to verify certificate
From: Sebastian Kapfer <s.kapfer_usenet@gmx.net>
Date: Thu, 02 Oct 2003 02:42:45 +0200
Message-id: <[🔎] pan.2003.10.02.00.42.41.692669@gammaray.dyndns.org>

Hello list,

I'm trying to set up an Exim4 SMTP daemon which acts as a "proxy" server
for a few PCs. It does local deliveries, and forwards outgoing mail to an
external smarthost. That works pretty good now -- the only problem is the
SSL/TLS feature. I want the connection between my Exim and the smarthost
to use TLS, because that part is routed across the Internet.

Exim seems to use TLS (STARTTLS to be exact) when delivering mail. I have
enabled the "hosts_require_tls" feature. It does not however verify the
certificate of the remote host by default (happily sends passwords to
other machines, too, when I trick it via /etc/hosts).

Then I turned on the tls_verify_certificates feature. I grabbed the
certificate from the smarthost with the "openssl" cli utility, and saved
it to a PEM format file. Exim seems to understand this file format -- if I
use the two other file formats offered by "openssl", it complains about an
illegible file. With the PEM format file, I get the following log:

[connecting...]
SMTP>> STARTTLS
read response data: size=32
SMTP<< 220 {mp009} Ready to start TLS
initializing GnuTLS as a client
read RSA and D-H parameters from file
initialized RSA and D-H parameters
no TLS client certificate is specified
verify certificates = /etc/exim4/tlscerts.out
initialized certificate stuff
initialized GnuTLS session
TLS certificate verification failed: peerdn=/C=DE/S=Bavaria/L=Munich/O=GMX GmbH/CN=mail.gmx.net
LOG: MAIN
TLS error on connection to mail.gmx.net [213.165.64.20]: certificate verification failed
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address=135166528
213.165.64.20 in hosts_require_tls? yes (matched "0.0.0.0/0")
[reports failure, other blurbs...]

Certificate verification failed -- how can that be? I don't want Exim to
question my certificate file. It should just check if the remote host is
the same as it used to be.

"tlscerts.out" contains a single PEM certificate, which was copied from
exactly that host mail.gmx.net. Then "openssl" utility claims that this
certificate is valid when logging onto the SMTP host. I know Debian's Exim
is compiled against GnuTLS, not OpenSSL, but they're supposed to be
compatible, right?

My transport section:

t_smtp:
driver = smtp
hosts_require_auth = 0.0.0.0/0
hosts_require_tls = 0.0.0.0/0
tls_verify_certificates = /etc/exim4/tlscerts.out

Any ideas? Sorry if that is an obvious question, but the Exim manuals
don't spend a lot of time explaining how this feature is supposed to work,
and Google wasn't too friendly either...

--
Best Regards, | Wer Windows-Rechner ins Internet lässt,
Sebastian | braucht nicht über SWEN stänkern!
|--------------------------------------------------------
| mailbox in "From" silently drops any mail > 20k

Reply to:

Follow-Ups:
- Re: exim4 SSL/TLS client: refusal to verify certificate
  - From: Vineet Kumar <vineet@doorstop.net>

Prev by Date: Re: Anyone else notice that Swen is slowing down?
Next by Date: Re: Apt problem
Previous by thread: Re: how to build Debian 2.4.20, -21, or -22 kernel package for woody?
Next by thread: Re: exim4 SSL/TLS client: refusal to verify certificate
Index(es):
- Date
- Thread