Hello Heiko, When I used exim-gencert, I set the FQDN name of the Exim server in the field "Server name (eg. ssl.domain.tld; required!!!) [])". So here I think it's good.
With the default Thunderbird detection, I get : SMTP with port 25 and no TLS... If I confirm this for the account, then as you said, there is a certificate warning :/ So it comes because it's a self signed certificate ? No way to generate a true certificate for LAN network ? That's why I asked about LetsEncrypt in my previous mail. Ok, I will dig this morning with tcpdump. Thanks. Regards, John Envoy�: mercredi 14 juin 2017 � 01:43 De: "Heiko Schlittermann via Exim-users" <[email protected]> �: [email protected] Objet: Re: [exim] Enable TLS with basic Exim4 config John Smith <[email protected]> (Mi 14 Jun 2017 01:08:15 CEST): > Hello, > > After some questions about the config files with a Debian system, I > continued playing with Exim and the TLS! > I think it's on the good way because now I get "STARTTLS" from telnet > and get some certificates answer... But client like Thunderbird can't > connect using TLS... :( > > So now... I'm here and when I launch swaks to test the TLS (swaks -a > -tls -q HELO -s localhost -au user -ap '<>'), I got : > > === Trying localhost:25... > === Connected to localhost. ... > ~> QUIT > <~ 221 mail closing connection > === Connection closed with remote host. Looks good. > Here, I saw that AUTH "PLAIN" and "LOGIN" seems to be availabe after > getting the TLS started. Yes. Intentionally. > Then, asking the server about certificates using openssl command > (openssl s_client -connect mail.domain.lan:465) showed : > > - One certificate returned with the "error" (warning ?) : verify > error:num=18:self signed certificate ... > No client certificate CA names sent > --- ... > > So... Did I have to fix the error "No client certificate CA names sent" > ? Maybe by using a sign process with LetsEncrypt or something else ? No, the client isn't obligated to send a certificate. But TB may be uncomfortable with your self signed certificate. Mail clients typically want to see a certificate with a matching CN or SAN (matching the host's name they connect to). You can debug it using tcpdump, to see if TB at least tries to use TLS Best regards from Dresden/Germany Viele Gr��e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -- ## List details at [1]https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at [2]http://www.exim.org/ ## Please use the Wiki with this list - [3]http://wiki.exim.org/ References 1. https://lists.exim.org/mailman/listinfo/exim-users 2. http://www.exim.org/ 3. http://wiki.exim.org/
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
