Hi. On Sat, Jul 31, 2021 at 01:08:19AM +0200, rudu wrote: > Thank you Reco, see below > > Le 30/07/2021 à 18:27, Reco a écrit : > > On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote: > > > Hi. > > > > > > On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: > > > > Still, a simple : > > > > $ mail -s test my.n...@provider.fr > > > > ... ends up to show in # tail -f /var/log/exim4/mainlog : > > > > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu > > > > P=local S=461 > > > > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost > > > > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr > > > > [185.204.xxx.xxx]: TLS > > > > session: (certificate verification failed): certificate invalid > > > Your exim certificate has nothing to do with this. > > > But your smarthost certificate certainly does. > > > > > > Every time you try to send a mail, your exim checks certificate of > > > remote MTA, and it does not like what it sees. > > > > > > > So, when I ran the command : > > > > # bash /usr/share/doc/exim4-base/examples/exim-gencert > > > > ... did I miss something that should be there ? > > > It's possible. Please provide an output of: > > > > > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > > > > > > grep split exim4/update-exim4.conf.conf > > A typo. > > > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > # grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > .ifndef MAIN_TLS_VERIFY_CERTIFICATES > MAIN_TLS_VERIFY_CERTIFICATES = ${if > exists{/etc/ssl/certs/ca-certificates.crt}\ > tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES > .ifdef MAIN_TLS_VERIFY_HOSTS > tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS > .ifdef MAIN_TLS_TRY_VERIFY_HOSTS > tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES > tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES > .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
This part of exim4 config shows that it has certificate verification enabled. And it does this for smarthosts too, which corresponds to REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *. > > grep split /etc/exim4/update-exim4.conf.conf > # grep split /etc/exim4/update-exim4.conf.conf > dc_use_split_config='false' And this part shows that to change this you have to edit files at /etc/exim4/conf.d. The only question left is - which particular macro defines REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS, because it certainly does not happen here (exim4-daemon-heavy, buster, but I don't use "satellite" configuration). Therefore, grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d Reco