Hi.
On Sat, Jul 31, 2021 at 01:08:19AM +0200, rudu wrote:
> Thank you Reco, see below
>
> Le 30/07/2021 à 18:27, Reco a écrit :
> > On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote:
> > > Hi.
> > >
> > > On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote:
> > > > Still, a simple :
> > > > $ mail -s test my.n...@provider.fr
> > > > ... ends up to show in # tail -f /var/log/exim4/mainlog :
> > > > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu
> > > > P=local S=461
> > > > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost
> > > > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr
> > > > [185.204.xxx.xxx]: TLS
> > > > session: (certificate verification failed): certificate invalid
> > > Your exim certificate has nothing to do with this.
> > > But your smarthost certificate certainly does.
> > >
> > > Every time you try to send a mail, your exim checks certificate of
> > > remote MTA, and it does not like what it sees.
> > >
> > > > So, when I ran the command :
> > > > # bash /usr/share/doc/exim4-base/examples/exim-gencert
> > > > ... did I miss something that should be there ?
> > > It's possible. Please provide an output of:
> > >
> > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
> > >
> > > grep split exim4/update-exim4.conf.conf
> > A typo.
> >
> > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
> # grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
> .ifndef MAIN_TLS_VERIFY_CERTIFICATES
> MAIN_TLS_VERIFY_CERTIFICATES = ${if
> exists{/etc/ssl/certs/ca-certificates.crt}\
> tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
> .ifdef MAIN_TLS_VERIFY_HOSTS
> tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
> .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
> tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
> .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
> .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
> tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
> .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
> tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
This part of exim4 config shows that it has certificate verification
enabled. And it does this for smarthosts too, which corresponds to
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *.
> > grep split /etc/exim4/update-exim4.conf.conf
> # grep split /etc/exim4/update-exim4.conf.conf
> dc_use_split_config='false'
And this part shows that to change this you have to edit files at
/etc/exim4/conf.d.
The only question left is - which particular macro defines
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS, because it certainly does not
happen here (exim4-daemon-heavy, buster, but I don't use "satellite"
configuration).
Therefore,
grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d
Reco
