Bug#314296: Re: Bug#314296: exim4 NOT verifying server certificate
Marc Haber
Marc Haber <mh+debian-packages@zugschlus.de>, 314296@bugs.debian.org
Sat, 18 Jun 2005 10:59:37 +0200
Hi,
On Thu, Jun 16, 2005 at 11:29:15AM +0800, Wenzhuo Zhang wrote:
> On Thu, Jun 16, 2005 at 01:04:30AM +0200, Marc Haber wrote:
> > > Isn't tls_verify_certificates supposed to verify the server certificate
> > > as well?
> >
> > It should. However, that code is not very well tested. Can you give me
> > an SMTP AUTH account on the smarthost to try it myself?
>
> Sure. The SMTP server supports PLAIN/LOGIN authentication mechanisms
> over TLS. The username of the test account is "debian". I'll send you
> the password through another message. You can forward it to other Debian
> developers.
As Andreas spotted correctly, conf.d/main/03_exim4-config_tlsoptions
only controls verification of the client certificates. For server
certificate checking, you need to add the configuration option to the
SMTP transport.
I am reluctant to add infrastructure for this to the default
configuration, since this is quite rarely used, and could break mail
delivery.
I have, however clarified the documentation in
conf.d/main/03_exim4-config_tlsoptions to clearly say that this option
here only concernd client certificates and added a hint where to
configure server certificate verification.
The SMTP account you have created is therefore not needed any more and
can be removed.
If there is anything more we can do for you, please feel free to
re-open the bug that Andreas closed.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835