Bug#314296: exim4 NOT verifying server certificate

Wenzhuo Zhang Wenzhuo Zhang <wenzhuo@zhmail.com>, 314296@bugs.debian.org
Thu, 16 Jun 2005 00:18:17 +0800 

Package: exim4
Version: 4.50-8
Severity: important


The Postfix smarthost allows relay only if clients successfully
authenticate (SMTP AUTH) through a TLS session. If it's a plain-text
session, SMTP clients won't be able to authenticate. The SSL certficate
of the smarthost is signed by a do-it-yourself CA.

exim4 client can relay through the smarthost, and I have the following
entries in /etc/exim4/exim4.conf.localmacros:

MAIN_TLS_VERIFY_CERTIFICATES = /etc/exim4/cacert.crt
MAIN_TLS_VERIFY_HOSTS = mail.linux-vs.org

/etc/exim4/cacert.crt is the certificate of the do-it-yourself CA.
However, even after I replace it with a random authorized CA certificate
and restart the exim4 daemon, the exim4 client can still relay through
the smarthost.

Isn't tls_verify_certificates supposed to verify the server certificate
as well?

Wenzhuo

-- Package-specific info:
Exim version 4.50 #1 built 27-May-2005 08:08:19
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='thinkpad.zhmail.com'
dc_local_interfaces='127.0.0.1'
dc_readhost='zhmail.com'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='mail.linux-vs.org'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
mailname:thinkpad.zhmail.com

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.31-t20.1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages exim4 depends on:
ii  exim4-base                    4.50-8     support files for all exim MTA (v4
ii  exim4-daemon-light            4.50-8     lightweight exim MTA (v4) daemon

-- no debconf information