Hi,
As per the Exim and Debian documentation and defaults, I've set the
following:
MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
However when I connect to my server over StartTLS, I get offered every
certificate in that path. e.g.
grey-area:/etc/exim4 # openssl s_client -connect localhost:25 -starttls smtp
[...]
---
Acceptable client certificate CA names
CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication
Root CA
C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust
External CA Root
C = US, O = AffirmTrust, CN = AffirmTrust Commercial
[...]
= US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root
Certification Authority RSA
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU =
TrustCor Certificate Authority, CN = TrustCor ECA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU =
TrustCor Certificate Authority, CN = TrustCor RootCert CA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU =
TrustCor Certificate Authority, CN = TrustCor RootCert CA-2
Is this the correct way to configure things? It seems like quite a lot
of unnecessary data to be sent with each and almost every new
connection...
Thanks!
Richard
--
junix.systems/privacy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
