Your message dated Tue, 27 Oct 2009 21:07:32 +0000
with message-id <[email protected]>
and subject line Bug#544472: fixed in exim4 4.70~cvs+20091026-1
has caused the Debian Bug report #544472,
regarding clarify exim client TLS documentation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
544472: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544472
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: exim4-daemon-heavy
Version: 4.69-9
Severity: important
It seems that the certificate verification fails when Exim
connects to the peer, while should the peer in question connect
to Exim, it succeeds. Consider, e. g.:
* accepting peer's connection (we're the server):
2009-08-31 20:03:54 1MiD6Y-0006C4-8S <= i...@main... H=... (...) [62.109.12.37]
P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=yes DN="C=RU,ST=Altai
Krai,O=Private,OU=SMTP
peers,CN=waterlily.ip.uusia.org,[email protected]" S=800
id=e1mid6m-00052j...@...
* making a connection to the same peer (we're the client):
2009-08-31 20:05:43 1MiD8A-0008Jf-2X => i...@main... R=hubbed_hosts
T=remote_smtp H=waterlily.ip.uusia.org [62.109.12.37]
X=TLS1.0:RSA_AES_256_CBC_SHA1:32 CV=no DN="C=RU,ST=Altai Krai,O=Private,OU=SMTP
peers,CN=waterlily.ip.uusia.org,[email protected]"
Note the CV=yes vs. CV=no discrepancy.
NB: without the reliable certificate verification for receivers
it's impossible to be secure against a MitM attack, as a server
with a self-signed (or otherwise unverifiable) certificate may
pose as a legitimate receiver or relay for the outgoing mail.
The remote configuration has the same key + certificate pair
(/etc/exim4/exim.key and exim.crt) set both for the server
(these are the defaults) and the SMTP client:
### main/00_local_tls_client
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE = /etc/exim4/exim.crt
REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY = /etc/exim4/exim.key
### main/00_local_tls_client ends here
### transport/30_exim4-config_remote_smtp_smarthost
#################################
# This transport is used for delivering messages over SMTP connections
# to a smarthost. The local host tries to authenticate.
# This transport is used for smarthost and satellite configurations.
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_p...@$domain"
driver = smtp
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}
.ifdef REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_FROM_DNS
helo_data=REMOTE_SMTP_HELO_DATA
.endif
--
FSF associate member #7257
--- End Message ---
--- Begin Message ---
Source: exim4
Source-Version: 4.70~cvs+20091026-1
We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive:
exim4-base_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-base_4.70~cvs+20091026-1_i386.deb
exim4-config_4.70~cvs+20091026-1_all.deb
to main/e/exim4/exim4-config_4.70~cvs+20091026-1_all.deb
exim4-daemon-heavy-dbg_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-daemon-heavy-dbg_4.70~cvs+20091026-1_i386.deb
exim4-daemon-heavy_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-daemon-heavy_4.70~cvs+20091026-1_i386.deb
exim4-daemon-light-dbg_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-daemon-light-dbg_4.70~cvs+20091026-1_i386.deb
exim4-daemon-light_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-daemon-light_4.70~cvs+20091026-1_i386.deb
exim4-dbg_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-dbg_4.70~cvs+20091026-1_i386.deb
exim4-dev_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/exim4-dev_4.70~cvs+20091026-1_i386.deb
exim4_4.70~cvs+20091026-1.diff.gz
to main/e/exim4/exim4_4.70~cvs+20091026-1.diff.gz
exim4_4.70~cvs+20091026-1.dsc
to main/e/exim4/exim4_4.70~cvs+20091026-1.dsc
exim4_4.70~cvs+20091026-1_all.deb
to main/e/exim4/exim4_4.70~cvs+20091026-1_all.deb
exim4_4.70~cvs+20091026.orig.tar.gz
to main/e/exim4/exim4_4.70~cvs+20091026.orig.tar.gz
eximon4_4.70~cvs+20091026-1_i386.deb
to main/e/exim4/eximon4_4.70~cvs+20091026-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated exim4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Mon, 26 Oct 2009 16:09:32 +0100
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy
exim4-daemon-custom eximon4 exim4-dbg exim4-daemon-light-dbg
exim4-daemon-heavy-dbg exim4-daemon-custom-dbg exim4-dev
Architecture: source i386 all
Version: 4.70~cvs+20091026-1
Distribution: experimental
Urgency: low
Maintainer: Exim4 Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Description:
exim4 - metapackage to ease Exim MTA (v4) installation
exim4-base - support files for all Exim MTA (v4) packages
exim4-config - configuration for the Exim MTA (v4)
exim4-daemon-custom - custom Exim MTA (v4) daemon with locally set features
exim4-daemon-custom-dbg - debugging symbols for the Exim MTA (v4) packages
exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including
exiscan-ac
exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA (v4) packages
exim4-daemon-light - lightweight Exim MTA (v4) daemon
exim4-daemon-light-dbg - debugging symbols for the Exim MTA (v4) packages
exim4-dbg - debugging symbols for the Exim MTA (v4) packages
exim4-dev - header files for the Exim MTA (v4) packages
eximon4 - monitor application for the Exim MTA (v4) (X11 interface)
Closes: 544472 551106
Changes:
exim4 (4.70~cvs+20091026-1) experimental; urgency=low
.
* New snapshot.
+ Fixes segfault in dovecot authenticator. Closes: #551106
+ Improved documentation regarding certifacte verification on outgoing
SMTP connections. Closes: #544472
* Drop 40_boolean_redefine_protect.dpatch - included upstream.
* Drop unapplied superfluous patches from diff: 36_pcre 37_exiwhatpsmisc.
Checksums-Sha1:
0c6735259c7e88f55fcc9e64c8e4fab4dc7ba5d4 1686 exim4_4.70~cvs+20091026-1.dsc
8203a1298df6d0c535a5c8d483de4748899eac7b 2123451
exim4_4.70~cvs+20091026.orig.tar.gz
cd590462eeaa8aeb98b839521dcbbea31b6e11f9 556794
exim4_4.70~cvs+20091026-1.diff.gz
619662975e2dbe4cd9fcce5af5edbe9b8761492a 999946
exim4-base_4.70~cvs+20091026-1_i386.deb
a1481cfab10c012ff80415f7e1a447b0af7a875d 99792
eximon4_4.70~cvs+20091026-1_i386.deb
27311ef876adaee1ed4aa52abdcabd66c5c5f7f4 459480
exim4-daemon-light_4.70~cvs+20091026-1_i386.deb
c2144ae9010cf9192d020353c8b559efcb34a6f2 507892
exim4-daemon-heavy_4.70~cvs+20091026-1_i386.deb
b39781f737622779c1c688185dc8f10164ea761e 721506
exim4-daemon-light-dbg_4.70~cvs+20091026-1_i386.deb
7438230bebf77f5263fd57ff3ecebbc705d19490 808170
exim4-daemon-heavy-dbg_4.70~cvs+20091026-1_i386.deb
aebc43572716cf38f3da920f0c475f94508fe2f1 265248
exim4-dbg_4.70~cvs+20091026-1_i386.deb
92a27c6433bfb177a9250eec014793680d4eb729 72634
exim4-dev_4.70~cvs+20091026-1_i386.deb
8338252d307d33a047b96bede049107bf67690ee 372714
exim4-config_4.70~cvs+20091026-1_all.deb
cbf9f6f863295408a02593563cdf6505592ac2c6 7894 exim4_4.70~cvs+20091026-1_all.deb
Checksums-Sha256:
cc7f470f814fab98a0a68f61badde4ab05999e21bb9005990314740bd6a4ab8f 1686
exim4_4.70~cvs+20091026-1.dsc
0c089ed31233ad8c1dfea4a242280e36969af74dd4c5aa8212081c2bcaa09206 2123451
exim4_4.70~cvs+20091026.orig.tar.gz
0eb8717e62f22a4be2bc6f29bdc7e84a1d98896fe533e50421d44460d81ab56f 556794
exim4_4.70~cvs+20091026-1.diff.gz
66208f08c33d31c1d874a789fdad765c1a7da97156d50ed7b853b4a6410458f7 999946
exim4-base_4.70~cvs+20091026-1_i386.deb
acee8e2c74ec9ed96560af479a98e33eb1078c731cc7ffcf01f9efb71f92c4e0 99792
eximon4_4.70~cvs+20091026-1_i386.deb
b62beea45cc5153fccfa2f52eb0ac1e6373512d8dcee1e33da5cf47301b249a6 459480
exim4-daemon-light_4.70~cvs+20091026-1_i386.deb
48757a48ac56d4723982a960db37156e957d83ab7e9adf215b81a55a987d827f 507892
exim4-daemon-heavy_4.70~cvs+20091026-1_i386.deb
d72fbaf21a3422ef4db3156b7cfd52878246a6723c62d11efbc5ea79ca08ef93 721506
exim4-daemon-light-dbg_4.70~cvs+20091026-1_i386.deb
3c9a40a2a99791a8befe8ae72312925af64218e54fe435886f61521d3f7081b7 808170
exim4-daemon-heavy-dbg_4.70~cvs+20091026-1_i386.deb
0052ef1887b9621319d60c9daf943172a6bb11a4ccbb73e6daa5d16c20b446d9 265248
exim4-dbg_4.70~cvs+20091026-1_i386.deb
2db83a9c5973eb4b15ea96eed9f0da85199e1fa0a9ace2b2bc8fa9b239167385 72634
exim4-dev_4.70~cvs+20091026-1_i386.deb
5e5b5b39e2401ccde81071894ea481a7fe4b555610c73a2a2a9d83b35e5a3a2c 372714
exim4-config_4.70~cvs+20091026-1_all.deb
a0b232a809bd3e5d141e92e5c153810ee1b5539c9a5bc32afd52bee983fb0b57 7894
exim4_4.70~cvs+20091026-1_all.deb
Files:
34bd42443c3045db45b94be0c7401398 1686 mail standard
exim4_4.70~cvs+20091026-1.dsc
3a5bc1e56d762e3eb02b18d9ce99acb9 2123451 mail standard
exim4_4.70~cvs+20091026.orig.tar.gz
6112dcc40cbc53ff11b3597e6caeb3b5 556794 mail standard
exim4_4.70~cvs+20091026-1.diff.gz
19b861c35c2a71b0a0d4109472c5460a 999946 mail standard
exim4-base_4.70~cvs+20091026-1_i386.deb
fc71f6f3e8262b99132203c4e9b6904a 99792 mail optional
eximon4_4.70~cvs+20091026-1_i386.deb
0c8f0300c2e92df1c00ed2ecfd474fb5 459480 mail standard
exim4-daemon-light_4.70~cvs+20091026-1_i386.deb
5666d06904b809eb1aaa91656efbed2d 507892 mail optional
exim4-daemon-heavy_4.70~cvs+20091026-1_i386.deb
b5f3da3b0b93018f131620b9420f27da 721506 debug extra
exim4-daemon-light-dbg_4.70~cvs+20091026-1_i386.deb
3bd03af1e61a190b3f2451b11d6d62ee 808170 debug extra
exim4-daemon-heavy-dbg_4.70~cvs+20091026-1_i386.deb
628445f09b387203f1c96ef03ae5c44c 265248 debug extra
exim4-dbg_4.70~cvs+20091026-1_i386.deb
b2f9bfe6d2523d3e7bcc6272effc103d 72634 mail extra
exim4-dev_4.70~cvs+20091026-1_i386.deb
484ca24c2606568f8faeeeb4c4185938 372714 mail standard
exim4-config_4.70~cvs+20091026-1_all.deb
6394591dc216400616a8e01971855180 7894 mail standard
exim4_4.70~cvs+20091026-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAkrl1NMACgkQHTOcZYuNdmO6OQCfSa85w6QAV/8EPlcQIoJ3plDP
buQAnAhg1RamjsyDttzF2WsNZuEPa9E9
=rHyy
-----END PGP SIGNATURE-----
--- End Message ---
