[PLUG] exim4 as ssl/tls client

Paul Heinlein heinlein at madboa.com
Tue May 4 12:13:01 UTC 2004


At some point in the (hopefully) near future, I'll be moving my main
mail server out of my house to co-lo facility. I want all my home
machines to relay mail through that box, and I want those connections
verified via SSL-certificate checking.

So I built my own little certificate authority and generated
certs for each host on my network.

I'm pretty familiar with sendmail's m4 configuration process, so
telling local hosts running sendmail how to offer up a client
certificate was pretty easy: just add confCLIENT_CERT and
confCLIENT_KEY definitions and rebuild sendmail.cf.

Harder -- well, more obscure -- was getting exim4 to offer up a client
cert. The exim4 config file has settings for tls_certificate and
tls_privatekey, but they're only good when exim is acting as a server;
they don't apply to exim as a client.

The answer wasn't documented at all in the comments in the exim4
config stuff, nor was it in the README.TLS file. Instead, buried in
the FAQ on www.exim.org is this little gem:

  A1705:  This means that the clients have not sent certificates when
  asked by the server to do so. If the clients are running Exim, check
  that tls_certificate is correctly set in their smtp transports. Note
  that this value is not automatically inherited from the global
  tls_certificate option.

What that means in practice is that your remote_smtp transport
definition needs a bit of tweaking, e.g.,

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  tls_certificate = CONFDIR/exim.crt

Voila!

--Paul Heinlein <heinlein at madboa.com>




More information about the PLUG mailing list