After dealing with OpenSSL TLS issues for awhile now I decided to give GnuTLS a go since it supposedly is more flexible with it's negotiations. I found that it supported more Internet SMTP encrypted sessions out of the box however, I ran into issues with TLS_TRUSTCERTS. With OpenSSL I had specified:
TLS_TRUSTCERTS=/etc/pki/tls/certs/gd_intermediate_bundle.crt Since my IMAP SSL Certificate was a secondary from GoDaddy. This worked fine for OpenSSL but in the switch to GnuTLS, clients could no longer see the "chain". I tried a number of different ways and methods but it seems to me right now that GnuTLS ignores the TLS_TRUSTCERTS setting. Can anybody offer any insight into this? As a side question, could I theoretically take the couriertls binary from an OpenSSL compile and the couriertls binary from a GnuTLS binary and use them both in the same Courier install? I'm thinking of setting it up like: /usr/lib/courier/bin/couriertls-gnutls /usr/lib/courier/bin/couriertls-openssl /usr/lib/courier/bin/couriertls -> /usr/lib/courier/bin/couriertls-openssl then by default, services would use SSL but in /etc/courier/esmtpd I would set: COURIERTLS=/usr/lib/courier/bin/couriertls-gnutls thus (if it works) port 25 server SMTP traffic would use GnuTLS while smtps (465), imap, imaps, pop3 and pop3s would use OpenSSL. All my relaying clients machines use 465 so they would get OpenSSL. The reason for this being that I have pretty tight control over my IMAP/POP3/SMTPS clients and can make sure they're using software that does TLS/SSL3 properly but I want to support all the (broken) Internet Servers that break with OpenSSL. So am I way off on this one or what? Jay -- Jay Lee Network / Systems Administrator Technology Services Philadelphia Biblical University -- ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
