[SoCoSA/discuss] exim TLS cert problem
Kevan Benson
kbenson at a-1networks.com
Thu Aug 27 09:53:14 PDT 2009
If you want to easily see what's being resented to clients on
connecting, use OpenSSL in client mode:
openssl s_client -connect localhost:465
which should results in a telnet-like connection with all SSL/TLS info
dumped at the beginning.
That said, I think mail setups might be a bit more complicated because
there's modes where a normal connection is established first and TLS is
negotiated afterward. Plain SMTP over SSL is port 465, but that may not
be what you are doing.
If it's truly a cert problem, it might be as simple as Linux having more
CA certs than windows. In which case, you'll need to include the
intermediate certificates in the certificate chain used by exim in some
manner (that is, if you have a cert signed by X, and X is signed by Y,
but the client only recognizes Y as a valid CA, you have to include the
part that says X is signed by Y to for a "chain" of trust).
http://exim.org/exim-html-4.10/doc/html/spec_36.html#SECT36.6 seems to
indicate you just put intermediate certs in the same certificate file,
if that's what you need.
Sean wrote:
> I'm hoping that someone can help me with a security certificate
> problem with my exim server. This has worked in the past and I don't
> know why it is not working now.
>
> The situation is that my mail and web servers reside on the same box.
> I have two security certificates installed, one for www.domain.com and
> one for mail.domain.com. I have my exim server configured to use the
> mail.domain.com cert for TLS (exim.conf entries below), but when a
> Windows client (i.e. Outlook) uses TLS, it says that there is a
> problem with the security cert and that the CN does not match the
> server name. It is probably grabbing the www cert instead of the mail
> cert, but I see no way to verify this or why it would be happening.
>
> exim.conf excerpt:
>
> # SSL/TLS cert and key
> tls_certificate = /etc/exim.cert
> tls_privatekey = /etc/exim.key
>
> tls_advertise_hosts = *
>
> I had my certificate vendor confirm that the security cert listed
> above is the mail cert.
>
> My kmail program on Linux is not complaining of this problem (and
> according to /var/log/mail.log on the server the POP connection IS
> using TLS for the kmail app), but I do not know of a way to check to
> see what certs either client is using. Also, I'm not the only one
> having this problem with the TLS on my server, so I suspect it would
> happen for any user on any computer.
>
> I'm using Debian Etch 32-bit and exim 4 (the latest version).
>
>
> Thank you in advance for any help.
>
> Sean
>
> _______________________________________________
> SoCoSA discuss mailing list
> discuss at socosa.org
> Your address: kbenson at a-1networks.com
> http://socosa.org/mailman/listinfo/discuss
> http://socosa.org/mailman/options/discuss/kbenson%40a-1networks.com
>
More information about the discuss
mailing list