On 16/12/14 23:24, Tristan Schmelcher wrote:
When using TLS certificate verification on outgoing SMTP, is it possible to enable verification of the remote server certificate's Common Name or Subject Alternate Name against the server hostname configured in the route_list ?
Yes, if you compile with EXPERIMENTAL_CERTNAMES or are running 4.next . Or, with some effort, compiled with EXPERIMENTAL_EVENT and a bunch of custom event-handler on tls:cert using certificate extractors.
It seems that even when tls_verify_certificates is set there is no verification of the CN/SAN.
Lacking any of the above, correct.
I am thinking there may be a way to achieve this verification with $tls_out_peerdn but it's not clear to me how. Has anyone done this before? My server requires authentication so I would like to do this to prevent a MitM attack from stealing my auth credentials.
The information isn't there in $tls_out_peerdn in the SAN case. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
