Hi, If forgot to mention the workaround I've been using. This workaround should only apply if you cannot apply the upstream patch for some reason.
Regards, Jö. # Workaround One workaround to get fully verified SSL is to tell Exim to use a local port (e.g. 127.0.0.1:26) as the smarthost without requiring SSL. Connections to that port can then be forwarded via SSL to the real smarthost. It is easiest to set up a tunnel to the `submissions` port, or any other smtp port offered by the smarthost with SSL-on-connect (as opposed to STARTTLS). This worked for me: Install `/etc/systemd/system/ssltunnel.socket` with content ``` [Socket] ListenStream=127.0.0.1:26 BindToDevice=lo Accept=yes [Unit] Before=exim4.service [Install] WantedBy=exim4.service ``` and `/etc/systemd/system/ssltunnel@.service` with content (obviously replacing the name of the smarthost) ``` [Service] Type=simple ExecStart=/usr/bin/socat - OPENSSL:smarthost.example.com:submissions StandardInput=socket StandardOutput=inherit StandardError=journal ``` In `/etc/exim4/update-exim4.conf.conf` set ``` dc_smarthost='127.0.0.1::26' ``` and in `/etc/exim4/conf.d/router/200_exim4-config_primary` add the setting ``` self = send ``` in the `smarthost:` section, otherwise Exim will refuse to connect to localhost, assuming a configuration error. Ensure that you use `*` as the hostname in `/etc/exim4/passwd.client` (or make sure the correct credentials will be selected through other means). Then invoke ``` systemctl enable ssltunnel.socket systemctl restart exim4 ``` and you should be set. If your smarthost only offers STARTTLS and no SSL-on-connect, you can use `openssl s_client` as the tunneling program. However, that program is meant as a debugging tool, and will by default not abort the connection when certificate verification fails, and it also won't verify the hostname by default. It's also noisy and will print messages to stdout, interfering with the tunneled connection content, unless quieted. You'll have to figure out the options to ensure correct certificate verification yourself. There is also gnutls-cli, but there seems to be no way to prevent it from printing messages to stdout, so it is not really an option for tunneling. --
signature.asc
Description: PGP signature