Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

disabling tls_verify_certificates with expansion?

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


mcn4 at leicester

Feb 22, 2012, 9:01 AM

Post #1 of 1 (150 views)
Permalink
disabling tls_verify_certificates with expansion?
Hi,

In a transport, I can do:

smtp:
driver = smtp
hosts_require_tls = *

which requires encryption (albeit without any sort of verification
that I'm talking to the right server - leave that issue aside for
the moment!)

I can also do

smtp:
driver = smtp
hosts_require_tls = *
tls_verify_certificates = /path/to/server.cert

to guarantee TLS, and also verify the server certificate.

However, it would be nice to be able to do

smtp:
driver = smtp
hosts_require_tls = *
multi_domain = false
tls_verify_certificates = ${if exists {/path/to/$domain} {/path/to/$domain} {}}

but this fails trying to read a non-existant file (works fine if
the certificate file is there)

I've also tried "fail" instead of {} (not really expecting it to
work):

tls_verify_certificates = ${if exists {/path/to/$domain} {/path/to/$domain} fail}

Using /dev/null gets further (looking at the source, it doesn't
return DEFER if the file exists but zero-length), in that it
doesn't bomb out before trying to read the file:

tls_verify_certificates = ${if exists {/path/to/$domain} {/path/to/$domain} {/dev/null}}

but then the certificate verification fails a bit later on.

The source has a comment:

/* If the cert file is empty, there's no point in loading the CRL file. */

which I don't really get - why even bother with verification at
all if the cert file is empty? :-)

Is there a way to do this, without having to create two
transports, and checking for the presence of the certificate to
verify in the routing stage?

Cheers,

Matthew


(Note - using exim 4.72 on Debian, which means it's using the
gnutls code path, rather than openssl)

--
Matthew Newton, Ph.D. <mcn4 [at] le>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp [at] le>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.