[SoCoSA/discuss] exim TLS cert problem

Sean seanvanco at gmail.com
Thu Aug 27 09:40:31 PDT 2009 

Thank you for the replies. The cert is valid until December of this year.

Perhaps a better explanation of the error message would help. It states:

"The server you are connected to is using a security certificate that
could not be verified.

The certificate's name does not match the passed value.

Do you want to continue using this server? Yes/No"

Does this help clarify matters? It does not seem to be rejecting the
issuer, and it did not when I first installed the cert. If anything
has changed to affect this I'm afraid that I don't know what it could
be.

Sean


On Thu, Aug 27, 2009 at 9:18 AM, Nicholas
Potterton<n.potterton at yahoo.co.uk> wrote:
> i grabbed this from a google
>
> I may be wrong here, but my understanding of certs is that what exim is
> doing is checking the authorities on your certificate. The idea is that
> I would tell exim to allow mail from certs signed by the CA. I am now
> able to issue certs for new users without having to log on to the box
> and add their certificate
>
> From exim's point of view, It trusts the CA, and the CA trusts the
> certificate, so exim trusts the certificate.
>
> Hope that clears it up for you.
>
> R
>
> -----Original Message-----
> From: exim-users-bounces@??? [mailto:exim-users-bounces@???]
> On Behalf Of Lars Mainka
> Sent: 23 February 2005 08:52
> To: exim-users@???
> Subject: [exim] TLS and Client Certificate Verification
>
> <SNIP>
>
> In my mind, the directory must contain my client cert to allow the
> client to connect to the mailserver, not only the CA cert. Is this
> wrong?
>
> What I am looking for is a client authorization with certificates,
> before anything else is possible for the client. I did a ktrace for the
> whole process and the exim only verifies my client cert against the CA
> cert, not against the other certs in the directory.
>
> So the main question is: What do I have to do, to check on handshake
> against the clients certificates?
>
> I am using a self signed CA certificate and a cert for the mailserver
> which is signed by the CA, the daemon_smtp_ports = smtp : smtps and
> tls_on_connect_ports = 465 statements. My client MUA is on a host which
> is listet in the tls_verify_hosts, the tls_certificate file contains the
> CA cert, the mailserver cert and the mailservers private key.
>
> --- On Thu, 8/27/09, Sean <seanvanco at gmail.com> wrote:
>
>
> From: Sean <seanvanco at gmail.com>
> Subject: [SoCoSA/discuss] exim TLS cert problem
> To: "SoCoSA general discussion list" <discuss at socosa.org>
> Date: Thursday, August 27, 2009, 8:51 AM
>
>
> I'm hoping that someone can help me with a security certificate
> problem with my exim server. This has worked in the past and I don't
> know why it is not working now.
>
> The situation is that my mail and web servers reside on the same box.
> I have two security certificates installed, one for www.domain.com and
> one for mail.domain.com. I have my exim server configured to use the
> mail.domain.com cert for TLS (exim.conf entries below), but when a
> Windows client (i.e. Outlook) uses TLS, it says that there is a
> problem with the security cert and that the CN does not match the
> server name. It is probably grabbing the www cert instead of the mail
> cert, but I see no way to verify this or why it would be happening.
>
> exim.conf excerpt:
>
> # SSL/TLS cert and key
> tls_certificate = /etc/exim.cert
> tls_privatekey = /etc/exim.key
>
> tls_advertise_hosts = *
>
> I had my certificate vendor confirm that the security cert listed
> above is the mail cert.
>
> My kmail program on Linux is not complaining of this problem (and
> according to /var/log/mail.log on the server the POP connection IS
> using TLS for the kmail app), but I do not know of a way to check to
> see what certs either client is using. Also, I'm not the only one
> having this problem with the TLS on my server, so I suspect it would
> happen for any user on any computer.
>
> I'm using Debian Etch 32-bit and exim 4 (the latest version).
>
>
> Thank you in advance for any help.
>
> Sean
>
> _______________________________________________
> SoCoSA discuss mailing list
> discuss at socosa.org
> Your address: n.potterton at yahoo.co.uk
> http://socosa.org/mailman/listinfo/discuss
> http://socosa.org/mailman/options/discuss/n.potterton%40yahoo.co.uk
>
>
>
>
>
> _______________________________________________
> SoCoSA discuss mailing list
> discuss at socosa.org
> Your address: seanvanco at gmail.com
> http://socosa.org/mailman/listinfo/discuss
> http://socosa.org/mailman/options/discuss/seanvanco%40gmail.com
>

More information about the discuss mailing list