[exim] No information to debug why "verify = certificate" fails (ie. CV=no)

Wed, 03 Sep 2025 03:46:26 -0700 

One of my clients is now failing to send messages via my Exim server. 
Other clients continue fine.

It manifests itself as "CV=no" in the logs, indicating Exim no longer sees 
the certificate as verifiable.

(Basic background checks (hash, expiry etc.) indicate the client's 
certificate is valid and unchanged)

Despite my best attempts, Exim is not giving anything in the logs as to 
why "verify = certificate" failed.

Below are some configuration fragments and my attempt to get any kind of 
log. Any ideas would be gratefully received, many thanks.

exim/configure:

tls_privatekey = /etc/ssl/local.key
tls_certificate = /etc/ssl/lets.crt
tls_advertise_hosts = *
tls_verify_certificates = /etc/ssl/certs/
tls_try_verify_hosts = *

log_selector = +tls_sni +tls_peerdn +tls_resumption +tls_cipher \
               +tls_certificate_verified \
               +receive_time \
               +deliver_time \
               +address_rewrite \
               +dkim_verbose

acl_check_rcpt:
  [...]
  accept  verify = certificate
          condition = ${if inlist{${sha256:$tls_in_peercert}} 
{RELAY_FROM_CERTS}}
          control = dkim_disable_verify
          logwrite = accepting message from certified connection 
${substr{0}{6}{${sha256:$tls_in_peercert}}}

Even running Exim in the foreground:

$ exim -bd -d+tls
58846 Connection request from 82.36.X.X port 56984
[...]
59213 setting  SSL CTX options: 0000000042004000
59213 TLS: DH params were preloaded
59213 TLS: ECDH curve was preloaded
59213 TLS: server certs were preloaded
59213 Initialized TLS
59213 host in tls_verify_hosts? no (option unset)
59213 host in tls_try_verify_hosts?
59213  list element: *
59213  host in tls_try_verify_hosts? yes (matched "*")
59213 TLS: CA bundle for server was preloaded
59213 Calling SSL_accept
59213 SSL hshake_start: before SSL initialization
59213 SSL SSL_accept,state_chg: before SSL initialization
59213 SSL SSL_accept,state_chg: before SSL initialization
59213 Received TLS SNI "mail.XXXXXXXXXXX" (unused for certificate selection)
59213 SSL SSL_accept,state_chg: SSLv3/TLS read client hello
59213 SERVER_HANDSHAKE_TRAFFIC_SECRET 
4834841eb4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
6b83d6509XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
59213 CLIENT_HANDSHAKE_TRAFFIC_SECRET 
4834841eb4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
0abb76de9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
59213 SSL SSL_accept,state_chg: SSLv3/TLS write server hello
59213 SSL SSL_accept,state_chg: TLSv1.3 write encrypted extensions
59213 SSL SSL_accept,state_chg: SSLv3/TLS write certificate request
59213 SSL SSL_accept,state_chg: SSLv3/TLS write certificate
59213 SSL SSL_accept,state_chg: TLSv1.3 write server certificate verify
59213 EXPORTER_SECRET 
4834841eb4cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
7a450746866e7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
59213 SERVER_TRAFFIC_SECRET_0 
4834841eb4cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
3a975a6df115XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
59213 SSL SSL_accept,state_chg: SSLv3/TLS write finished
59213 SSL SSL_accept,state_chg: TLSv1.3 early data
59213 SSL SSL_accept,state_chg: TLSv1.3 early data
59213 SSL SSL_accept,state_chg: SSLv3/TLS read client certificate
59213 CLIENT_TRAFFIC_SECRET_0 
4834841eb4cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
e3c12a3feb660dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
59213 SSL SSL_accept,state_chg: SSLv3/TLS read finished
59213 SSL hshake_done: SSL negotiation finished successfully
59213 SSL_accept was successful
59213 host in hosts_require_alpn? no (option unset)
59213 TLS: no ALPN presented in handshake
59213 Cipher: TLS1.3:TLS_AES_256_GCM_SHA384:256
59213 Shared ciphers: 
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
59213 Have channel bindings cached for possible auth usage 0x1e6627afb6f8 
0x3515e0
[...]
59213 Calling SSL_read(0x1e6627b0e000, 0x1e6627b4d008, 4096)
59213 SMTP<< MAIL FROM:<mark@XXXXXXXXXXXXXXXX>
[...]
59213 using ACL "acl_check_rcpt"
[...]
59213 processing "accept" (/usr/local/etc/exim/configure 169)
59213 check verify = certificate
59213 accept: condition test failed in ACL "acl_check_rcpt"
59213 processing "warn" (/usr/local/etc/exim/configure 174)
59213 check verify = certificate
59213 warn: condition test failed in ACL "acl_check_rcpt"
59213 processing "require" (/usr/local/etc/exim/configure 186)
59213   message: relay not permitted
59213 check domains = +local_domains : +relay_to_domains

-- 
Mark

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to