On Tue, Nov 23, 2010 at 08:19:39PM +0100, Matthias-Christian Ott said: > On Tue, Nov 23, 2010 at 01:55:36PM -0500, Phil Pennock wrote: > > On 2010-11-22 at 23:14 +0100, Matthias-Christian Ott wrote: > > > for fail-over I want to add a spooling relay to an existing Exim > > > server. I would prefer to useauthentication via client certificates. Is > > > this possible with Exim? > > > > Yes. Use the tls_certificate and tls_privatekey options on the SMTP > > Transport used. There are other relevant options too. See: > > 30.4 Private options for smtp > > 39.9 Configuring an Exim client to use TLS > > of The Exim Specification, "spec.txt" or online at: > > http://www.exim.org/exim-html-current/doc/html/spec_html/index.html > > This is not what I was looking for. I'm already using TLS and > tls_verify_certificates doesn't solve my problem because it seems to me > that I have to keep all client certifcates on the actual mail server in a > directory. > > I would like to sign the server and the client (relay) certificate > by a CA and store the CA certificate on the server and instruct the > server to accept only messages from relays which provide a certificate > which is signed by the server (similar to OpenID client certificate > authentication).
You need to do something like: tls_verify_certificates = /etc/exim4/ssl/ca.crt tls_try_verify_hosts = * On the relay. This will verify the cert against the CA, rather than against a known list of certs. Cheers, -- -------------------------------------------------------------------------- | Stephen Gran | Gnagloot, n.: A person who leaves all | | [email protected] | his ski passes on his jacket just to | | http://www.lobefin.net/~steve | impress people. -- Rich Hall, | | | "Sniglets" | -------------------------------------------------------------------------- -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
