On 2025/09/03 11:44 AM, Mark Hills via Exim-users wrote:
Any ideas would be gratefully received
You didn't say what version of Exim. Here's what I do for deep certificate
issue visibility; it does depend on facilities that appeared more recently
in Exim. You should check with the documentation that applies to your version.
There's some business logic in here that likely does not match yours, so
do not use blindly.
Main config option:
event_action = ${acl {tls_inbound_event}}
ACL:
inbound_user_cert:
accept set acl_m_tmp = ${certextract {subj_altname,mail} {$tls_in_peercert}}
condition = ${if def:acl_m_tmp}
logwrite = potential user cert <$acl_m_tmp>
set acl_m_tmp =
tls_inbound_event:
accept condition = ${if !eq {tls:cert} {$event_name}}
warn logwrite = [$sender_host_address] $sender_host_name \
$event_name depth=$event_data \
<${certextract {subject} {$tls_in_peercert}}>\
${if ={0}{$event_data} \
{ <${certextract {subj_altname}{$tls_in_peercert}}>}}
accept condition = ${if !={0}{$event_data}}
accept acl = inbound_user_cert
deny condition = ${if !def:sender_host_name}
logwrite = [$sender_host_address] no rDNS - can't verify
client-cert
message = fail
deny !acl = is_certname_verify ${lc:$sender_host_name}
tls_in_peercert
logwrite = [$sender_host_address] $sender_host_name client-cert
name mismmatch; try relaxed-rDNS names
!condition = ${if forany {${lookup dnsdb{>:
ptr=$sender_host_address}}} \
{and {{!eqi {$sender_host_name}{$item}} \
{acl{{is_certname_verify}{${lc:$item}}{tls_in_peercert}}} \
} } }
# message = client-cert hostname mismatch
logwrite = [$sender_host_address] client-cert hostname mismatch
accept logwrite = [$sender_host_address] $sender_host_name client-cert
relaxed-rDNS name ok
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
