Package: exim4-daemon-heavy Version: 4.69-9 Severity: important It seems that the certificate verification fails when Exim connects to the peer, while should the peer in question connect to Exim, it succeeds. Consider, e. g.:
* accepting peer's connection (we're the server): 2009-08-31 20:03:54 1MiD6Y-0006C4-8S <= i...@main... H=... (...) [62.109.12.37] P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=yes DN="C=RU,ST=Altai Krai,O=Private,OU=SMTP peers,CN=waterlily.ip.uusia.org,email=i...@main.uusia.org" S=800 id=e1mid6m-00052j...@... * making a connection to the same peer (we're the client): 2009-08-31 20:05:43 1MiD8A-0008Jf-2X => i...@main... R=hubbed_hosts T=remote_smtp H=waterlily.ip.uusia.org [62.109.12.37] X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=no DN="C=RU,ST=Altai Krai,O=Private,OU=SMTP peers,CN=waterlily.ip.uusia.org,email=i...@main.uusia.org" Note the CV=yes vs. CV=no discrepancy. NB: without the reliable certificate verification for receivers it's impossible to be secure against a MitM attack, as a server with a self-signed (or otherwise unverifiable) certificate may pose as a legitimate receiver or relay for the outgoing mail. The remote configuration has the same key + certificate pair (/etc/exim4/exim.key and exim.crt) set both for the server (these are the defaults) and the SMTP client: ### main/00_local_tls_client REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE = /etc/exim4/exim.crt REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY = /etc/exim4/exim.key ### main/00_local_tls_client ends here ### transport/30_exim4-config_remote_smtp_smarthost ################################# # This transport is used for delivering messages over SMTP connections # to a smarthost. The local host tries to authenticate. # This transport is used for smarthost and satellite configurations. remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_p...@$domain" driver = smtp hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ {\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ }\ {} \ } .ifdef REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY tls_privatekey = REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_FROM_DNS helo_data=REMOTE_SMTP_HELO_DATA .endif -- FSF associate member #7257 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org