Hello, I'm unable to make exim provide its certificate when it connects to another server.
I have two exim (4.92) servers (Debian) -- one is my secondary mx (Source) which sends mails to my primary mx (Destination). I want them to mutually authenticate themselves (preferably using DANE). Both servers have TLS configured (STARTTLS) using GnuTLS and shows "green" in various smtp tls checking tools. When S sends a mail to D, I see a "CV=yes" in S logs (S validated the certificate of D), but "CV=no" in the logs of D (and $tls_in_peerdn is not defined). When I connect from S to D using swaks and force the use of exims' certificate with --tls-cert, D sees it and validates. D also sees and validates others certificates, from gmail for example, or from my thunderbird when I smtp connects to D. If I require the use of certificate (tls_verify_hosts) on D instead of just "trying" it, the messages from S does not pass. With DANE configured (both servers are "green" in https://dane.sys4.de/), when I send a mail from S to D, it shows "CV=dane" on S and "CV=no" on D. The config on both servers is: tls_advertise_hosts = * tls_require_ciphers = ${if =={$received_port}{25}{NORMAL:%COMPAT}{SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2}} tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt // Debian bundle tls_try_verify_hosts = * In transports I have: hosts_require_tls = S:D tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt I also have an ACL that tries to verify = certificate and logs the value of $tls_in_peerdn So my question: is it possible to force exim to present its certificate when it connects to another server as client? And, if yes, what I'm doing wrong? Can I validate the S's certificate on D with DANE? Thanks for your advice! A. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
