Bug#522690: exim4-daemon-heavy: previously working client ssl certificate setup fails to work in lenny

Stephen Gran sgran at debian.org
Sun Apr 5 21:35:22 UTC 2009 

Package: exim4-daemon-heavy
Version: 4.69-9
Severity: important

Hi there,

I use ssl certificates to control mail relaying.  This means that the
client must present it's ssl certificates to the the central server.
In general, though, since I, in my role as DSA, want to use roughly
the same config file with a few ifdef's to control behavior on lots
of machines, this means that all machines should, generally speaking,
present their client certs on all TLS transactions when asked to do so.

In etch, I used a remote_smtp transport like so:

remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  port = 587
  tls_certificate = CONFDIR/lobefin.net.crt
  tls_privatekey = CONFDIR/lobefin.net.key

In lenny, the following transport:

remote_smtp:
  driver = smtp
  connect_timeout = 1m
  tls_certificate = /etc/exim4/ssl/thishost.crt
  tls_privatekey = /etc/exim4/ssl/thishost.key

Completely fails to send a client certificate.  If I add validation
options (tls_verify_hosts, tls_try_verify_hosts) the client will send
it's certificate, but only when it validates against the mail server ca,
and will send cleartext otherwise.  This seems rather pointless, when
what I want to do is use TLS as transport protection in the general
case, but allow machines that have valid certificates to relay.

This is a pretty clear regression, hence the severity.  If there is
something I've missed, please let me know - I don't see it right now.

Cheers,

-- Package-specific info:
Exim version 4.69 #1 built 30-Sep-2008 18:26:44
Copyright (c) University of Cambridge 2006
Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8)
Shell: /bin/sh linked to /bin/bash

Versions of packages exim4-daemon-heavy depends on:
ii  debconf [debconf-2.0]    1.5.24          Debian configuration management sy
ii  exim4-base               4.69-9          support files for all Exim MTA (v4
ii  libc6                    2.7-18          GNU C Library: Shared libraries
ii  libdb4.6                 4.6.21-11       Berkeley v4.6 Database Libraries [
ii  libgnutls26              2.4.2-6+lenny1  the GNU TLS library - runtime libr
ii  libldap-2.4-2            2.4.11-1        OpenLDAP libraries
ii  libmysqlclient15off      5.0.51a-24      MySQL database client library
ii  libpam0g                 1.0.1-5         Pluggable Authentication Modules l
ii  libpcre3                 7.6-2.1         Perl 5 Compatible Regular Expressi
ii  libperl5.10              5.10.0-19       Shared Perl library
ii  libpq5                   8.3.6-1         PostgreSQL C client library
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
ii  libsqlite3-0             3.5.9-6         SQLite 3 shared library

exim4-daemon-heavy recommends no packages.

exim4-daemon-heavy suggests no packages.

-- debconf information:
  exim4-daemon-heavy/drec:

More information about the Pkg-exim4-maintainers mailing list