Bug#544472: server certificate verification fails when connecting as an SMTP client?

Ivan Shmakov ivan at main.uusia.org
Mon Aug 31 20:34:41 UTC 2009 

Package: exim4-daemon-heavy
Version: 4.69-9
Severity: important

	It seems that the certificate verification fails when Exim
	connects to the peer, while should the peer in question connect
	to Exim, it succeeds.  Consider, e. g.:

	* accepting peer's connection (we're the server):

2009-08-31 20:03:54 1MiD6Y-0006C4-8S <= ivan at main... H=... (...) [62.109.12.37] P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=yes DN="C=RU,ST=Altai Krai,O=Private,OU=SMTP peers,CN=waterlily.ip.uusia.org,EMAIL=ivan at main.uusia.org" S=800 id=E1MiD6M-00052j-9C at ...

	* making a connection to the same peer (we're the client):

2009-08-31 20:05:43 1MiD8A-0008Jf-2X => ivan at main... R=hubbed_hosts T=remote_smtp H=waterlily.ip.uusia.org [62.109.12.37] X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=no DN="C=RU,ST=Altai Krai,O=Private,OU=SMTP peers,CN=waterlily.ip.uusia.org,EMAIL=ivan at main.uusia.org"

	Note the CV=yes vs. CV=no discrepancy.

	NB: without the reliable certificate verification for receivers
	it's impossible to be secure against a MitM attack, as a server
	with a self-signed (or otherwise unverifiable) certificate may
	pose as a legitimate receiver or relay for the outgoing mail.

	The remote configuration has the same key + certificate pair
	(/etc/exim4/exim.key and exim.crt) set both for the server
	(these are the defaults) and the SMTP client:

### main/00_local_tls_client
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE  = /etc/exim4/exim.crt
REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY   = /etc/exim4/exim.key
### main/00_local_tls_client ends here


### transport/30_exim4-config_remote_smtp_smarthost
#################################

# This transport is used for delivering messages over SMTP connections
# to a smarthost. The local host tries to authenticate.
# This transport is used for smarthost and satellite configurations.

remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
        {\
        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
        }\
        {} \
      }
.ifdef REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
  tls_privatekey = REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
  tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_FROM_DNS
  helo_data=REMOTE_SMTP_HELO_DATA
.endif

-- 
FSF associate member #7257

More information about the Pkg-exim4-maintainers mailing list