Bug#314296: marked as done (exim4 NOT verifying server certificate)
Debian Bug Tracking System
owner@bugs.debian.org
Wed, 15 Jun 2005 10:33:57 -0700
Your message dated Wed, 15 Jun 2005 19:22:24 +0200
with message-id <20050615172224.GA3042@downhill.aus.cc>
and subject line Bug#314296: exim4 NOT verifying server certificate
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Jun 2005 16:20:33 +0000
>From wenzhuo@zhmail.com Wed Jun 15 09:20:33 2005
Return-path: <wenzhuo@zhmail.com>
Received: from (dragon.linux-vs.org) [202.109.113.90]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Diacy-0000uK-00; Wed, 15 Jun 2005 09:20:33 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by dragon.linux-vs.org (Postfix) with ESMTP id 0753110996
for <submit@bugs.debian.org>; Thu, 16 Jun 2005 00:20:30 +0800 (CST)
Received: from dragon.linux-vs.org ([127.0.0.1])
by localhost (dragon.linux-vs.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 30901-07 for <submit@bugs.debian.org>;
Thu, 16 Jun 2005 00:20:29 +0800 (CST)
Received: from localhost.localdomain (unknown [222.64.144.79])
by dragon.linux-vs.org (Postfix) with ESMTP id C93071005D
for <submit@bugs.debian.org>; Thu, 16 Jun 2005 00:20:29 +0800 (CST)
Received: from wenzhuo by localhost.localdomain with local (Exim 4.50)
id 1Diaan-0000zO-Sv
for submit@bugs.debian.org; Thu, 16 Jun 2005 00:18:17 +0800
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Wenzhuo Zhang <wenzhuo@zhmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: exim4 NOT verifying server certificate
X-Mailer: reportbug 3.8
Date: Thu, 16 Jun 2005 00:18:17 +0800
Message-Id: <E1Diaan-0000zO-Sv@localhost.localdomain>
X-Virus-Scanned: by amavisd-new at linux-vs.org
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
RCVD_IN_SBLXBL,RCVD_IN_SBLXBL_SBL autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: exim4
Version: 4.50-8
Severity: important
The Postfix smarthost allows relay only if clients successfully
authenticate (SMTP AUTH) through a TLS session. If it's a plain-text
session, SMTP clients won't be able to authenticate. The SSL certficate
of the smarthost is signed by a do-it-yourself CA.
exim4 client can relay through the smarthost, and I have the following
entries in /etc/exim4/exim4.conf.localmacros:
MAIN_TLS_VERIFY_CERTIFICATES = /etc/exim4/cacert.crt
MAIN_TLS_VERIFY_HOSTS = mail.linux-vs.org
/etc/exim4/cacert.crt is the certificate of the do-it-yourself CA.
However, even after I replace it with a random authorized CA certificate
and restart the exim4 daemon, the exim4 client can still relay through
the smarthost.
Isn't tls_verify_certificates supposed to verify the server certificate
as well?
Wenzhuo
-- Package-specific info:
Exim version 4.50 #1 built 27-May-2005 08:08:19
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='thinkpad.zhmail.com'
dc_local_interfaces='127.0.0.1'
dc_readhost='zhmail.com'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='mail.linux-vs.org'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
mailname:thinkpad.zhmail.com
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.31-t20.1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages exim4 depends on:
ii exim4-base 4.50-8 support files for all exim MTA (v4
ii exim4-daemon-light 4.50-8 lightweight exim MTA (v4) daemon
-- no debconf information
---------------------------------------
Received: (at 314296-done) by bugs.debian.org; 15 Jun 2005 17:22:33 +0000
>From ametzler@downhill.at.eu.org Wed Jun 15 10:22:32 2005
Return-path: <ametzler@downhill.at.eu.org>
Received: from m26s25.vlinux.de [83.151.30.59] ([mGdM6v47pe3raBmJpRAsq4jXDYidoBDg])
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dibay-00030d-00; Wed, 15 Jun 2005 10:22:32 -0700
Received: from adsl-149.221.166.194.arpa.as1901.net
([194.166.221.149] helo=argenau.downhill.at.eu.org ident=[hGtSO/a1+tAD7OX8YHShB3k4ftuXQTC8])
by m26s25.vlinux.de with esmtpa (Exim 4.50)
id 1DibYF-0004Im-Jr
for 314296-done@bugs.debian.org; Wed, 15 Jun 2005 17:19:46 +0000
Received: from ametzler by argenau.downhill.at.eu.org with local (Exim 4.50)
id 1Dibaq-0000vZ-KE
for 314296-done@bugs.debian.org; Wed, 15 Jun 2005 19:22:24 +0200
Date: Wed, 15 Jun 2005 19:22:24 +0200
From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: 314296-done@bugs.debian.org
Subject: Re: Bug#314296: exim4 NOT verifying server certificate
Message-ID: <20050615172224.GA3042@downhill.aus.cc>
References: <E1Diaan-0000zO-Sv@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E1Diaan-0000zO-Sv@localhost.localdomain>
X-GPG-Fingerprint: BCF7 1345 BE42 B5B8 1A57 EE09 1D33 9C65 8B8D 7663
User-Agent: Mutt/1.5.9i
X-Spam-Score: -2.5 (--)
Delivered-To: 314296-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_20,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On 2005-06-15 Wenzhuo Zhang <wenzhuo@zhmail.com> wrote:
> Package: exim4
> Version: 4.50-8
> Severity: important
> The Postfix smarthost allows relay only if clients successfully
> authenticate (SMTP AUTH) through a TLS session. If it's a plain-text
> session, SMTP clients won't be able to authenticate. The SSL certficate
> of the smarthost is signed by a do-it-yourself CA.
> exim4 client can relay through the smarthost, and I have the following
> entries in /etc/exim4/exim4.conf.localmacros:
> MAIN_TLS_VERIFY_CERTIFICATES = /etc/exim4/cacert.crt
> MAIN_TLS_VERIFY_HOSTS = mail.linux-vs.org
> /etc/exim4/cacert.crt is the certificate of the do-it-yourself CA.
> However, even after I replace it with a random authorized CA certificate
> and restart the exim4 daemon, the exim4 client can still relay through
> the smarthost.
> Isn't tls_verify_certificates supposed to verify the server certificate
> as well?
[...]
No, it is not.
From the respective documentation:
# A list of hosts which are constrained by `tls_verify_certificates'.
# A host that matches `tls_verify_host' must present a certificate
# that is verifyable through `tls_verify_certificates' in order to be
# accepted as an SMTP client.
In your setup *exim* is the client.
You'll need to set the respective tls_verify_certificates option on
the transport, instead of the global options "tls_verify_certificates"
and "tls_verify_hosts"
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
http://downhill.aus.cc/