Bug#591261: exim4: Certificate based verification does not work.

Jon Westgate jon at fsck.tv
Sun Aug 1 16:50:32 UTC 2010 

Hi Andreas,
I have this as my config.

tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem
tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem
log_selector = +tls_peerdn
tls_dhparam =  /etc/exim4/dh.key
tls_advertise_hosts = *
#auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
auth_advertise_hosts = *
tls_try_verify_hosts = *
tls_verify_certificates = /etc/exim4/cacerts/cacert.pem _<- (yes this is 
a file and not a directory)_

The point I was trying to make is that exim doesn't send a certificate 
when asked
even if you have the following:

remote_smtp:
   driver = smtp
   tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem
   tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem

recompile both servers against openssl and it magicly works, but only if 
both are build against openssl.


Regards
Jon



On 01/08/10 17:35, Andreas Metzler wrote:
> On 2010-08-01 Jon Westgate<oryn at fsck.tv>  wrote:
>    
>> Package: exim4
>> Version: 4.72-1
>> Severity: important
>> Tags: upstream
>>      
>    
>> I have been asked to setup an exim4 server for use with CJSM.
>> https://www.cjsm.net This requires that a server (acting as a smart
>> host in this case) encrypt and sign all emails headed for CJSM.
>> This is something that according to exim.org, exim should ba
>> capeable of doing.  After struggling with this for a number of days
>> I came accross a blog entry on the web saying that exim compiled
>> against openssl seemed to work where as exim compiled against gnutls
>> didn't.  I recompiled and hey presto everything works.  I'm not
>> campaining for openssl to be the default in exim, just mearly
>> registering the fact that both tls_try_verify_hosts and
>> tls_verify_hosts directives fail with this package.  Indeed exim as
>> a client does not send a certificate when asked for one.
>>      
> [...]
>
> Hello,
>
> the information you provided is sparse. I was to ask for a guess I would think that stumpled upon
> | 39.2 OpenSSL vs GnuTLS
> |
> | The tls_verify_certificates option must contain the name of a file,
> | not the name of a directory (for OpenSSL it can be either).
>
> cu andreas
>
>
>
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20100801/6de267dd/attachment.htm>

More information about the Pkg-exim4-maintainers mailing list