Mailing List Archive

Does Exim presents its certificate when acting as client?
Hello,

I'm unable to make exim provide its certificate when it connects to
another server.

I have two exim (4.92) servers (Debian) -- one is my secondary mx
(Source) which sends mails to my primary mx (Destination). I want them
to mutually authenticate themselves (preferably using DANE).
Both servers have TLS configured (STARTTLS) using GnuTLS and shows
"green" in various smtp tls checking tools.

When S sends a mail to D, I see a "CV=yes" in S logs (S validated the
certificate of D), but "CV=no" in the logs of D (and $tls_in_peerdn is
not defined).
When I connect from S to D using swaks and force the use of exims'
certificate with --tls-cert, D sees it and validates.
D also sees and validates others certificates, from gmail for example,
or from my thunderbird when I smtp connects to D.
If I require the use of certificate (tls_verify_hosts) on D instead of
just "trying" it, the messages from S does not pass.

With DANE configured (both servers are "green" in
https://dane.sys4.de/), when I send a mail from S to D, it shows
"CV=dane" on S and "CV=no" on D.

The config on both servers is:

tls_advertise_hosts = *
tls_require_ciphers = ${if
=={$received_port}{25}{NORMAL:%COMPAT}{SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2}}
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt  // Debian
bundle
tls_try_verify_hosts = *

In transports I have:
  hosts_require_tls = S:D
  tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt

I also have an ACL that tries to
  verify = certificate
and logs the value of $tls_in_peerdn

So my question: is it possible to force exim to present its certificate
when it connects to another server as client?
And, if yes, what I'm doing wrong?
Can I validate the S's certificate on D with DANE?

Thanks for your advice!

A.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Does Exim presents its certificate when acting as client? [ In reply to ]
On 06/04/2019 15:09, Antoine via Exim-users wrote:
> I'm unable to make exim provide its certificate when it connects to
> another server.

First, it's dependent on the server asking the client to
present a client cert. Second, on the client you need to
set, in the transport, tls_certificate and tls_privatekey.

http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECID185

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Does Exim presents its certificate when acting as client? [ In reply to ]
On 08/04/2019 13:02, Jeremy Harris via Exim-users wrote:
> On 06/04/2019 15:09, Antoine via Exim-users wrote:
>> I'm unable to make exim provide its certificate when it connects to
>> another server.
> First, it's dependent on the server asking the client to
> present a client cert. Second, on the client you need to
> set, in the transport, tls_certificate and tls_privatekey.
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECID185
>
Thank you Jeremy, I didn't realize that the options in transport affects
the server side. (BTW it's clearly stated in the docs). It works for TLS.
Should it work for DANE as well? Actually with the next settings in
transport (on both sides), I get CV=dane on client and CV=yes on server:

  driver = smtp
  hosts_require_dane = server:client
  tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
  tls_certificate = cert.pem
  tls_privatekey = cert.key
  dnssec_request_domains = *

Thank you.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/