Hello all, to debug, why the valid CERT is not accepted for a DANE verified outbound connection, I tried to enable debugging via ACL:
>acl_smtp_starttls: > accept > message = TLS debug started > logwrite = TLS debugging acl triggered > control = debug > control = debug/tag=.$sender_host_address > control = debug/opts=-all+deliver+tls > control = debug/trigger=now However I get not a single line of debug output, neither when exim denies the connection with the error: "Key usage violation in certificate has been detected.", nor when other working TLS connections are established. But this seems not to work, exims creates no debuglog. When I however put those controls to "acl_log_write", i get a full bunch of stuff, but nothing related to TLS, but thats what I wish to get. I get all detailed informations of all routers, filters, transports, with all expansions and other stuff, but not a single line according to the connection to remote host with all TLS/DANE related stuff. I have configured -all+tls, but looks like, i get all but tls! However the logfile claims, that +tls is set: > check control = debug/tag=.$sender_host_address/opts=-all+tls > = debug/tag=.111.222.111.222/opts=-all+tls >DEBUGGING ACTIVATED FROM WITHIN CONFIG. >DEBUG: Tag=".111.222.111.222" opts="-all+tls" > check control = debug/opts=-all+tls >DEBUGGING ACTIVATED FROM WITHIN CONFIG. >DEBUG: Tag="NULL" opts="-all+tls" > check control = debug/trigger=now/opts=-all+tls >DEBUGGING ACTIVATED FROM WITHIN CONFIG. >DEBUG: Tag="NULL" opts="-all+tls" > accept: condition test succeeded in ACL "acl_log_write" > end of ACL "acl_log_write": ACCEPT My goal is getting informations, which of the presented certs during the TLS handshake exim takes into account for verifing the DANE RR. Furthermore if exim compares hostname against CN or one of the additional SANs embedded in the cert. Can anyone point me into the right direction, how can I get those informations? Thanks Wolfgang -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/