[SoCoSA/discuss] exim TLS cert problem

Kevan Benson kbenson at a-1networks.com
Thu Aug 27 09:53:14 PDT 2009 

If you want to easily see what's being resented to clients on 
connecting, use OpenSSL in client mode:

	openssl s_client -connect localhost:465

which should results in a telnet-like connection with all SSL/TLS info 
dumped at the beginning.

That said, I think mail setups might be a bit more complicated because 
there's modes where a normal connection is established first and TLS is 
negotiated afterward.  Plain SMTP over SSL is port 465, but that may not 
be what you are doing.

If it's truly a cert problem, it might be as simple as Linux having more 
CA certs than windows.  In which case, you'll need to include the 
intermediate certificates in the certificate chain used by exim in some 
manner (that is, if you have a cert signed by X, and X is signed by Y, 
but the client only recognizes Y as a valid CA, you have to include the 
part that says X is signed by Y to for a "chain" of trust).

http://exim.org/exim-html-4.10/doc/html/spec_36.html#SECT36.6 seems to 
indicate you just put intermediate certs in the same certificate file, 
if that's what you need.

Sean wrote:
> I'm hoping that someone can help me with a security certificate
> problem with my exim server. This has worked in the past and I don't
> know why it is not working now.
> 
> The situation is that my mail and web servers reside on the same box.
> I have two security certificates installed, one for www.domain.com and
> one for mail.domain.com. I have my exim server configured to use the
> mail.domain.com cert for TLS (exim.conf entries below), but when a
> Windows client (i.e. Outlook) uses TLS, it says that there is a
> problem with the security cert and that the CN does not match the
> server name. It is probably grabbing the www cert instead of the mail
> cert, but I see no way to verify this or why it would be happening.
> 
> exim.conf excerpt:
> 
> # SSL/TLS cert and key
> tls_certificate = /etc/exim.cert
> tls_privatekey = /etc/exim.key
> 
> tls_advertise_hosts = *
> 
> I had my certificate vendor confirm that the security cert listed
> above is the mail cert.
> 
> My kmail program on Linux is not complaining of this problem (and
> according to /var/log/mail.log on the server the POP connection IS
> using TLS for the kmail app), but I do not know of a way to check to
> see what certs either client is using. Also, I'm not the only one
> having this problem with the TLS on my server, so I suspect it would
> happen for any user on any computer.
> 
> I'm using Debian Etch 32-bit and exim 4 (the latest version).
> 
> 
> Thank you in advance for any help.
> 
> Sean
> 
> _______________________________________________
> SoCoSA discuss mailing list
> discuss at socosa.org
> Your address: kbenson at a-1networks.com
> http://socosa.org/mailman/listinfo/discuss
> http://socosa.org/mailman/options/discuss/kbenson%40a-1networks.com
>

More information about the discuss mailing list