Re: exim4 as a smarthost with TLS

To: debian-user@lists.debian.org
Subject: Re: exim4 as a smarthost with TLS
From: rudu <rudu@cegetel.net>
Date: Sat, 31 Jul 2021 01:08:19 +0200
Message-id: <[🔎] e094dc7c-090c-a0c5-397f-2a9bede492cb@cegetel.net>
In-reply-to: <[🔎] E1m9VMD-0004Qk-Be@enotuniq.net>
References: <[🔎] 9eda91c1-b4b3-2821-8e48-23aee9d5852b@cegetel.net> <[🔎] E1m9VKI-0004QT-Jk@enotuniq.net> <[🔎] E1m9VMD-0004Qk-Be@enotuniq.net>

Thank you Reco, see below

Le 30/07/2021 à 18:27, Reco a écrit :

On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote:

	Hi.

On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote:

Still, a simple :
$ mail -s test my.name@provider.fr
... ends up to show in # tail -f /var/log/exim4/mainlog :
2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.name@provider.fr U=rudu P=local S=461
2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.name@provider.fr R=smarthost T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]: TLS
session: (certificate verification failed): certificate invalid

Your exim certificate has nothing to do with this.
But your smarthost certificate certainly does.

Every time you try to send a mail, your exim checks certificate of
remote MTA, and it does not like what it sees.

So, when I ran the command :
# bash /usr/share/doc/exim4-base/examples/exim-gencert
... did I miss something that should be there ?

It's possible. Please provide an output of:

grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated

grep split exim4/update-exim4.conf.conf

A typo.

grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated

# grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
.ifndef MAIN_TLS_VERIFY_CERTIFICATES

MAIN_TLS_VERIFY_CERTIFICATES = ${ifexists{/etc/ssl/certs/ca-certificates.crt}\

tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
  REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS

grep split /etc/exim4/update-exim4.conf.conf

# grep split /etc/exim4/update-exim4.conf.conf
dc_use_split_config='false'

I'm afraid I don't understand much of what you're asking me.
Hope that it gives you any hint about what's going wrong here.

Thank you again.

Rudu

Reply to:

Follow-Ups:
- Re: exim4 as a smarthost with TLS
  - From: Reco <recoverym4n@enotuniq.net>

References:
- exim4 as a smarthost with TLS
  - From: rudu <rudu@cegetel.net>
- Re: exim4 as a smarthost with TLS
  - From: Reco <recoverym4n@enotuniq.net>
- Re: exim4 as a smarthost with TLS
  - From: Reco <recoverym4n@enotuniq.net>

Prev by Date: Re: what binds to port
Next by Date: Package: libspeexdsp1 (1.2~rc1.2-1.1)
Previous by thread: Re: exim4 as a smarthost with TLS
Next by thread: Re: exim4 as a smarthost with TLS
Index(es):
- Date
- Thread