Bug#314296: Re: Bug#314296: exim4 NOT verifying server certificate
Marc Haber
Marc Haber <mh+debian-packages@zugschlus.de>, 314296@bugs.debian.org
Sun, 19 Jun 2005 01:29:57 +0200
On Sun, Jun 19, 2005 at 07:05:06AM +0800, Wenzhuo Zhang wrote:
> On Sat, Jun 18, 2005 at 10:59:37AM +0200, Marc Haber wrote:
> > As Andreas spotted correctly, conf.d/main/03_exim4-config_tlsoptions
> > only controls verification of the client certificates. For server
> > certificate checking, you need to add the configuration option to the
> > SMTP transport.
> >
> > I am reluctant to add infrastructure for this to the default
> > configuration, since this is quite rarely used, and could break mail
> > delivery.
>
> My personal experiences tell me that SMTP AUTH over TLS is a very common
> setup.
SMTP AUTH over TLS with actual verification of the server certificate
is not very common nowadays.
> > I have, however clarified the documentation in
> > conf.d/main/03_exim4-config_tlsoptions to clearly say that this option
> > here only concernd client certificates and added a hint where to
> > configure server certificate verification.
>
> How about adding a macro, say MAIN_TLS_VERIFY_SMARTHOST, to
> conf.d/transport/30_exim4-config_remote_smtp_smarthost?
Where should the package automatically obtain the CA certificate to
verify the server against? How to handle the case of delivering two
different smarthost, one of them having a self-signed certificate?
You're suggesting to open a can of worms here.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835