Package: exim4-daemon-heavy
Version: 4.69-9
Severity: important
It seems that the certificate verification fails when Exim
connects to the peer, while should the peer in question connect
to Exim, it succeeds. Consider, e. g.:
* accepting peer's connection (we're the server):
2009-08-31 20:03:54 1MiD6Y-0006C4-8S <= i...@main... H=... (...) [62.109.12.37]
P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=yes DN="C=RU,ST=Altai
Krai,O=Private,OU=SMTP
peers,CN=waterlily.ip.uusia.org,email=i...@main.uusia.org" S=800
id=e1mid6m-00052j...@...
* making a connection to the same peer (we're the client):
2009-08-31 20:05:43 1MiD8A-0008Jf-2X => i...@main... R=hubbed_hosts
T=remote_smtp H=waterlily.ip.uusia.org [62.109.12.37]
X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=no DN="C=RU,ST=Altai Krai,O=Private,OU=SMTP
peers,CN=waterlily.ip.uusia.org,email=i...@main.uusia.org"
Note the CV=yes vs. CV=no discrepancy.
NB: without the reliable certificate verification for receivers
it's impossible to be secure against a MitM attack, as a server
with a self-signed (or otherwise unverifiable) certificate may
pose as a legitimate receiver or relay for the outgoing mail.
The remote configuration has the same key + certificate pair
(/etc/exim4/exim.key and exim.crt) set both for the server
(these are the defaults) and the SMTP client:
### main/00_local_tls_client
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE = /etc/exim4/exim.crt
REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY = /etc/exim4/exim.key
### main/00_local_tls_client ends here
### transport/30_exim4-config_remote_smtp_smarthost
#################################
# This transport is used for delivering messages over SMTP connections
# to a smarthost. The local host tries to authenticate.
# This transport is used for smarthost and satellite configurations.
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_p...@$domain"
driver = smtp
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}
.ifdef REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_FROM_DNS
helo_data=REMOTE_SMTP_HELO_DATA
.endif
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
