On 2008-07-25 at 22:27 +0200, M G Berberich wrote: > I want to send mails to a smarthost encrypted. My attempts to do it > over smtps failed, I suppose this can't be done with exim4.
Correct, to the best of my knowledge. SSL-on-connect is not in any standards documents and is something the IETF argues against (unfortunately, IMO). > So I tried to force TLS. I already have added a “hosts_require_tls” to > the “remote_smtp_smarthost” transport to prevent unencrypted delivery. > > I tried adding “tls_certificate = …/bla.crt” to make exim check the > server-certificate against bla.crt, but this gives me: No, tls_certificate is how you tell Exim what its *own* TLS certificate is. > So how do I make exim to check the certificate to prevent > man-in-the-middle attacks? On the smarthost transport, you set tls_verify_certificates to point to the CA certificates (a file for GnuTLS, a file or a directory for OpenSSL, eg, /etc/ssl/certs/). For *server* side, you can choose which hosts to optionally verify for, independently of having configured certificates (tls_verify_hosts, tls_try_verify_hosts). But for the *client* side, once you provide the CA certs, verification is mandatory and there are no hooks to disable it. There's only so many ways that Exim will let people shoot themselves in their own foot and this isn't one of them. :) Note that tls_verify_certificates is the name of *two* options, depending upon where it's set, with the same meaning for both. If it's set in the 'main' section of the configuration, then it's a server-side setting and if it's set on an SMTP Transport, then it's a client-side setting. Neither affects the other. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/