On 2023-10-07 18:55, Ian Z via Exim-users wrote:
On Sat, Oct 07, 2023 at 04:10:24PM -0700, AC via Exim-users wrote:
The internal hosts are running self-signed certificates. So is there
a way to either make the self-signed certificates acceptable to the
main Exim server or otherwise disable the use of TLS by either the
internal servers or configuring the main server to not advertise TLS
to the internal hosts?
tls_advertise_hosts main config option should answer the second half
of your question. I don't quite understand the first half, though.
Why does your main server care about the client's certificates? Do
you set tls_verify_hosts or tls_try_verify_hosts? By default these
options are unset, so client certificate signatures don't matter.
Is it possible that the messages are caused by something else than
missing signature verification? Can you show the exact error messages?
The error message on the main server is:
TLS error on connection from [host] (recv): A TLS fatal alert has been
received.: Certificate is bad
These are the related settings according to -bP
tls_advertise_hosts = *
tls_try_verify_hosts =
tls_verify_certificates = ${if
exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
tls_verify_hosts =
I have the advertise set to * for incoming mail from the public side but
the rest are empty. How would I alter this to not advertise TLS to the
internal hosts and still advertise to all other hosts?
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
