|

»

[Bug 786] New: tls_verify_hosts not verifying X509 signed from Outlook 2007

View: New views

9 Messages — Rating Filter: Alert me

	[Bug 786] New: tls_verify_hosts not verifying X509 signed from Outlook 2007 by bsgcic :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 Summary: tls_verify_hosts not verifying X509 signed from Outlook 2007 Product: Exim Version: 4.68 Platform: x86 OS/Version: Linux Status: NEW Severity: bug Priority: medium Component: TLS AssignedTo: nigel@... ReportedBy: jwexler@... CC: exim-dev@... Objective: Only allow outgoing mail relaying from clients (Outlook 2007) which authenticate with a certificate that the Exim server recognizes. This does not appear to work. Client: Outlook 2007 (12.0.6316.5000) SP1 MSO (12.0.6320.5000) CA certificate is in the root CA section of IE7 Server certificate and each test email client certificate are in the Individuals and Others of IE7 certificates area Server certificate included as trusted certificate and as default email certificate in Outlook 2007 trusted center Client certificates all saved in respective users entries in Outlook address book Server: Ubuntu 8.04.1 Installed Packages include exim4-daemon-heavy (4.68), libmail-spf-query-perl, mailx ldap (openldap2.3) via http://ubuntuforums.org/showthread.php?t=640760 Signed Certificates: Attempted certificates generated via openssl (0.9.8g) as well as certificates generated via gnutls (2.0.4). Tried both 1024 bits and 4096 bit certificates. CA: ca, cert_signing_key Server (Signed by above CA): ca, signing_key, encryption_key, dns_name = hostname, ip_address = server ip address Clients: ca, signing_key, encryption_key Contents of server certificate settings: X.509 Certificate Information, version 3 Issuer and Subject: C, O, OU, L, ST, CN (Exim server hostname), EMAIL all defined Subject Public Key Algorithm: RSA Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Alternative Name (not critical): RFC822name is same as Email in Subject Subject Key Identifier (not critical) and Authority Key Identifier (not critical) defined Signature Algorithm: RSA-SHA MD5 fingerprint, SHA-1 fingerprint, Public Key Id defined Client certificates also created with CN = Email. Server certificate and client certicates copied to /usr/share/ca-certificates and added to /etc/ssl/certs/ca-certificates.crt via dpkg-reconfigure ca-certificates Server certificate and key also copied to /etc/exim4 with chmod properties same as /etc/exim4/exim.crt and exim.key exim4.conf.template properties MAIN_TLS_ENABLE = yes MAIN_TLS_VERIFY_HOSTS = * MAIN_RELAY_NETS = (a number of networks including the network of the test Outlook 2007 client) MAIN_TLS_ADVERTISE_HOSTS = MAIN_RELAY_NETS MAIN_TLS_CERTIFICATE = /etc/exim4/(the name of the server certificate file) MAIN_TLS_PRIVATEKEY = /etc/exim4/(the name of the server key file) The following is an example from /var/log/exim4/mainlog when MAIN_TLS_VERIFY_HOSTS = * is set. Encrypted, signed (via client certificates) TLS email is not relayed to local ldap users. 2008-12-01 16:07:15 [23561] SMTP connection from [client_ip]:3000 I=[server_ip]:587 (TCP/IP connection count = 1) 2008-12-01 16:07:15 [23570] TLS error on connection from client_FQDN (client_hostname_short) [client_ip]:3000 (gnutls_handshake): The peer did not send any certificate. 2008-12-01 16:07:15 [23570] SMTP connection from client_FQDN (client_hostname_short) [client_ip]:3000 I=[server_ip]:587 closed by EOF 2008-12-01 16:07:15 [23570] no MAIL in SMTP connection from client_FQDN (client_hostname_short) [client_ip]:3000 I=[server_ip]:587 D=0s C=EHLO,STARTTLS (END) The following is an example from /var/log/exim4/mainlog when MAIN_TLS_VERIFY_HOSTS = * is commented out. Encrypted, signed (via client certificates) TLS email is relayed to local ldap users without issue. The DN in mainlog is blank for some reason. /var/log/exim4/mainlog: 2008-12-01 16:06:29 [30486] SMTP connection from [client_ip]:2999 I=[server_ip]:587 (TCP/IP connection count = 1) 2008-12-01 16:06:29 [23038] 1L72rV-0005za-O1 "testaccount02@virtual_domain-pre-rewrite" from env-to rewritten as "post_rewrite_prefix_testaccount02@domain" by rule 7 2008-12-01 16:06:29 [23038] 1L72rV-0005za-O1 <= testaccount01@virtual_domain-pre-rewrite H=client_FQDN (client_hostname_short) [client_ip]:2999 I=[server_ip]:587 P=smtps X=TLS-1.0:RSA_ARCFOUR_MD5:16 CV=no DN="" S=12242 id=002201c95383$5a6d3f20$0f47bd60$@com T="tls_verify_hosts not set test 02" from <testaccount01@virtual_domain-pre-rewrite> for testaccount02@virtual_domain-pre-rewrite 2008-12-01 16:06:29 [23039] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1L72rV-0005za-O1 2008-12-01 16:06:30 [23039] 1L72rV-0005za-O1 => post_rewrite_prefix_testaccount02 <post_rewrite_prefix_testaccount02@domain> F=<testaccount01@virtual_domain-pre-rewrite> P=<testaccount01@virtual_domain-pre-rewrite> R=local_user T=maildir_home S=12385 QT=1s DT=1s 2008-12-01 16:06:30 [23039] 1L72rV-0005za-O1 Completed QT=1s 2008-12-01 16:06:32 [23038] SMTP connection from client_FQDN (client_hostname_short) [client_ip]:2999 I=[server_ip]:587 closed by QUIT -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	[Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by Bugzilla from eximusers@downhill.at.eu.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 --- Comment #1 from Andreas Metzler <eximusers@...> 2008-12-01 18:32:57 --- -------------- The following is an example from /var/log/exim4/mainlog when MAIN_TLS_VERIFY_HOSTS = * is set. Encrypted, signed (via client certificates) TLS email is not relayed to local ldap users. 2008-12-01 16:07:15 [23561] SMTP connection from [client_ip]:3000 I=[server_ip]:587 (TCP/IP connection count = 1) 2008-12-01 16:07:15 [23570] TLS error on connection from client_FQDN (client_hostname_short) [client_ip]:3000 (gnutls_handshake): The peer did not send any certificate. -------------- I think you are misunderstanding what the option is about. This does not make exim parse incoming mails and check their signatures. A client connecting via a TLS/SSL can provide a certificates to authenticate this connection. I doubt that MUAs like Outlook can even be configured to do this. cu andreas -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	[Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by bsgcic :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 --- Comment #2 from jwexler@... 2008-12-02 09:04:58 --- Thank you for your quick response. Isn't this one additional a means to increase the security to further restrict who is authorized to relay outgoing email through the server? I have read as much as I can about this feature including http://www.exim.org/lurker/message/20070610.123842.6610025d.en.html If this is not what tls_verify_hosts is for then what is it intended for? Outlook appears to send the server certificate that I loaded in Outlook's trusted center. For example, when I send email from this same Outlook client via an account at another machine running MS Exchange 2000 and then open the email from another Outlook client machine, I am able to view the contents of the server certificate that was sent. Please don't misunderstand; my objective is not to check certificates of inbound email. Rather, it is for Exim to validate whether or not the Outlook 2007 client is allowed to relay outgoing smtp email by (in addition to TLS authentication) checking that the certificate that Outlook uses for authentication (in the Outlook trusted center) is in /etc/ssl/certs/ca-certificats.crt. MS Exchange has a feature for an authentication layer via certificates; thus, I believe that Outlook should be able to do its part. (Please excuse my challenge with correct terminology below.) I just did the following two tests. TEST #1: Send an encrypted, signed email from Outlook 2007 via an account that authenticates with the main Exim server. I.e., direct authentication with main Exim server. The error I just got is as follows: 2008-12-02 16:06:12 [31010] SMTP connection from [main_exim_server_ip]:3687 I=[originating_outlook_client_ip]:587 (TCP/IP connection count = 1) 2008-12-02 16:06:12 [31028] TLS error on connection from originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [main_exim_server_ip]:3687 (gnutls_handshake): The peer did not send any certificate. 2008-12-02 16:06:12 [31028] SMTP connection from originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [main_exim_server_ip]:3687 I=[originating_outlook_client_ip]:587 closed by EOF 2008-12-02 16:06:12 [31028] no MAIL in SMTP connection from originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [main_exim_server_ip]:3687 I=[originating_outlook_client_ip]:587 D=0s C=EHLO,STARTTLS TEST #2: Send an encrypted, signed email from Outlook 2007 via an account that authenticates with a separate (interim) Exim server on another machine. Upon authentication, this interim Exim server then relays the email to the main Exim server for delivery to the local user. I.e., indirect sending via a separate Exim server for inbound delivery at the main Exim server. Main Exim Server Log: I.e., Log from the main Exim server that receives the email for delivery from the interim Exim server: 2008-12-02 16:26:30 [1865] SMTP connection from [interim_exim_server_for_relay_from_separate_mta_ip]:44978 I=[originating_outlook_client_ip]:25 (TCP/IP connection count = 1) 2008-12-02 16:26:30 [1882] TLS error on connection from interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:44978 (gnutls_handshake): The peer did not send any certificate. 2008-12-02 16:26:30 [1882] SMTP connection from interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:44978 I=[originating_outlook_client_ip]:25 closed by EOF 2008-12-02 16:26:30 [1882] no MAIL in SMTP connection from interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:44978 I=[originating_outlook_client_ip]:25 D=0s C=EHLO,STARTTLS 2008-12-02 16:26:30 [1865] SMTP connection from [interim_exim_server_for_relay_from_separate_mta_ip]:44979 I=[originating_outlook_client_ip]:25 (TCP/IP connection count = 1) 2008-12-02 16:26:30 [1883] H=interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:44979 I=[originating_outlook_client_ip]:25 rejected MAIL <user_who_relays_through_other_interim_exim_server@domain> 2008-12-02 16:26:30 [1883] SMTP connection from interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:44979 I=[originating_outlook_client_ip]:25 closed by QUIT Interim Exim Server Log: Log from the interim Exim Server that authenticates and then relays to the main Exim Server following: 2008-12-02 16:26:30 [4880] SMTP connection from [main_exim_server_ip]:3705 I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 (TCP/IP connection count = 1) 2008-12-02 16:26:30 [6272] 1L7PeQ-0001dA-8c <= user_who_relays_through_other_interim_exim_server@domain H=originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [main_exim_server_ip]:3705 I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 P=esmtp S=12177 id=02ca01c9544f$495c11d0$dc143570$@com T="For delivery. Sent from another exim server. tls_verify_hosts Expect: OK 002" from <user_who_relays_through_other_interim_exim_server@domain> for testuser02@local_virtual_domain_pre-rewrite 2008-12-02 16:26:30 [6273] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1L7PeQ-0001dA-8c 2008-12-02 16:26:30 [6274] 1L7PeQ-0001dA-8c TLS error on connection to local_virtual_domain_pre-rewrite [originating_outlook_client_ip] (gnutls_handshake): Error in the push function. 2008-12-02 16:26:30 [6274] 1L7PeQ-0001dA-8c TLS session failure: delivering unencrypted to local_virtual_domain_pre-rewrite [originating_outlook_client_ip] (not in hosts_require_tls) 2008-12-02 16:26:30 [6273] 1L7PeQ-0001dA-8c testuser02@local_virtual_domain_pre-rewrite F=<user_who_relays_through_other_interim_exim_server@domain> P=<user_who_relays_through_other_interim_exim_server@domain> R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<user_who_relays_through_other_interim_exim_server@domain> SIZE=13370: host local_virtual_domain_pre-rewrite [originating_outlook_client_ip]: 550 Administrative prohibition 2008-12-02 16:26:30 [6275] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem -oi -f <> -E1L7PeQ-0001dA-8c 2008-12-02 16:26:31 [6275] 1L7PeQ-0001dD-QU <= <> R=1L7PeQ-0001dA-8c U=Debian-exim P=local S=13157 T="Mail delivery failed: returning message to sender" from <> for user_who_relays_through_other_interim_exim_server@domain 2008-12-02 16:26:31 [6276] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1L7PeQ-0001dD-QU 2008-12-02 16:26:31 [6273] 1L7PeQ-0001dA-8c Completed QT=1s 2008-12-02 16:26:31 [6276] 1L7PeQ-0001dD-QU => user_who_relays_through_other_interim_exim_server <user_who_relays_through_other_interim_exim_server@domain> F=<> P=<> R=ldap_user T=maildir_home S=13252 QT=1s DT=0s 2008-12-02 16:26:31 [6276] 1L7PeQ-0001dD-QU Completed QT=1s 2008-12-02 16:26:33 [6272] SMTP connection from originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [main_exim_server_ip]:3705 I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 closed by QUIT TEST #3: Same as Test #2 except that I commented out MAIN_RELAY_NETS so that neither the Client nor the Interim Exim relay server are in MAIN_RELAY_NETS. MAIN EXIM SERVER LOG: 2008-12-02 17:25:40 [3153] SMTP connection from [interim_exim_server_for_relay_from_separate_mta_ip]:41397 I=[main_exim_server_ip]:25 (TCP/IP connection count = 1) 2008-12-02 17:25:40 [3167] "testuser02@local_virtual_domain_pre-rewrite" from env-to rewritten as "post_rewrite_prefix_testuser02@domain" by rule 7 2008-12-02 17:25:40 [3167] H=interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:41397 I=[main_exim_server_ip]:25 F=<user_who_relays_through_other_interim_exim_server@domain> rejected RCPT <testuser02@local_virtual_domain_pre-rewrite> 2008-12-02 17:25:40 [3167] H=interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:41397 I=[main_exim_server_ip]:25 incomplete transaction (QUIT) from <user_who_relays_through_other_interim_exim_server@domain> 2008-12-02 17:25:40 [3167] SMTP connection from interim_exim_server_for_relay_from_separate_mta_hostname.domain [interim_exim_server_for_relay_from_separate_mta_ip]:41397 I=[main_exim_server_ip]:25 closed by QUIT INTERIM RELAYING EXIM SERVER LOG: 2008-12-02 17:25:40 [4880] SMTP connection from [originating_outlook_client_ip]:3820 I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 (TCP/IP connection count = 1) 2008-12-02 17:25:40 [6363] 1L7QZg-0001ed-GO <= user_who_relays_through_other_interim_exim_server@domain H=originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [originating_outlook_client_ip]:3820 I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 P=esmtp S=11982 id=02db01c95457$8d3c5880$a7b50980$@com T="For delivery. Sent from another exim server. tls_verify_hosts Expect: OK 003" from <user_who_relays_through_other_interim_exim_server@domain> for testuser02@local_virtual_domain_pre-rewrite 2008-12-02 17:25:40 [6364] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1L7QZg-0001ed-GO 2008-12-02 17:25:40 [6364] 1L7QZg-0001ed-GO testuser02@local_virtual_domain_pre-rewrite F=<user_who_relays_through_other_interim_exim_server@domain> P=<user_who_relays_through_other_interim_exim_server@domain> R=dnslookup_relay_to_domains T=remote_smtp: SMTP error from remote mail server after RCPT TO:<testuser02@local_virtual_domain_pre-rewrite>: host local_virtual_domain_pre-rewrite [main_exim_server_ip]: 550 Administrative prohibition 2008-12-02 17:25:40 [6366] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem -oi -f <> -E1L7QZg-0001ed-GO 2008-12-02 17:25:41 [6366] 1L7QZg-0001eg-Qx <= <> R=1L7QZg-0001ed-GO U=Debian-exim P=local S=12959 T="Mail delivery failed: returning message to sender" from <> for user_who_relays_through_other_interim_exim_server@domain 2008-12-02 17:25:41 [6367] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1L7QZg-0001eg-Qx 2008-12-02 17:25:41 [6364] 1L7QZg-0001ed-GO Completed QT=1s 2008-12-02 17:25:41 [6367] 1L7QZg-0001eg-Qx => user_who_relays_through_other_interim_exim_server <user_who_relays_through_other_interim_exim_server@domain> F=<> P=<> R=ldap_user T=maildir_home S=13054 QT=1s DT=0s 2008-12-02 17:25:41 [6367] 1L7QZg-0001eg-Qx Completed QT=1s 2008-12-02 17:25:43 [6363] SMTP connection from originating_outlook_client_hostname.domain (originating_outlook_client_hostname) [originating_outlook_client_ip]:3820 I=[interim_exim_server_for_relay_from_separate_mta_ip]:25 closed by QUIT -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	Re: [Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by Chris Edwards-11 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, 2 Dec 2008, jwexler@... wrote: \| Outlook appears to send the server certificate that I loaded in Outlook's \| trusted center. That's very strange. Normally, a server certificate is sent from the server to the client, to help the client to authenticate the server. In some situations, the server requires the client to supply a client certifiate, to help the server authenticate the client. This seems to be what you're after. But as Andreas says, I've no idea if/how you can make outlook supply a client certificate. However, you mention outlook sending a server certificate. This sounds odd - there is no point in sending a server certificate to the server. Recall that the server certificate is essentially public. Anyone who can send packets to the server can trivially download it. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	Re: [Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by Chris Edwards :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, 2 Dec 2008, jwexler@... wrote: \| Outlook appears to send the server certificate that I loaded in \| Outlook's trusted center. That's very strange. Normally, a server certificate is sent from the server to the client, to help the client to authenticate the server. In some situations, the server requires the client to supply a client certifiate, to help the server authenticate the client. This seems to be what you're after. But as Andreas says, I've no idea if/how you can make outlook supply a client certificate. However, you mention outlook sending a server certificate. This sounds odd - there is no point in sending a server certificate to the server. Recall that the server certificate is essentially public. Anyone who can send packets to the server can trivially download it. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	[Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by bsgcic :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 jwexler@... changed: What \|Removed \|Added ---------------------------------------------------------------------------- CC\| \|jwexler@... --- Comment #3 from jwexler@... 2008-12-04 23:03:29 --- > On 2008-12-03 15:00, Chris Edwards wrote: > On Tue, 2 Dec 2008, jwexler@??? wrote: > > \| Outlook appears to send the server certificate that I loaded in > \| Outlook's trusted center. > > That's very strange. > > Normally, a server certificate is sent from the server to the client, to > help the client to authenticate the server. > > In some situations, the server requires the client to supply a client > certifiate, to help the server authenticate the client. This seems to be > what you're after. But as Andreas says, I've no idea if/how you can make > outlook supply a client certificate. > > However, you mention outlook sending a server certificate. This sounds > odd - there is no point in sending a server certificate to the server. > Recall that the server certificate is essentially public. Anyone who can > send packets to the server can trivially download it. > Thanks Chris. I have also actually attempted the same test using a client certificate in Outlook Trust Center with the same results. This is the current configuration of certificates that I have: 01_CA_Certificate = CA certificate signing authority 02_Server_Certificate = Certificate signed by 01_CA_Certificate. This certificate and its corresponding private key are located in /etc/exim4. This is the certificate that MAIN_TLS_CERTIFICATE is assigned and MAIN_TLS_PRIVATEKEY is assigned to its corresponding private key. (Note that the certificate is also in /usr/share/ca-certificates and loaded into /etc/ssl/certs/ca-certificats.crt per the instructions in exim4.conf.template. I realize now from your post that the server certificate should not be there but would guess does not affect the tls_verify_hosts issue.) 03_Client1_Certificate = Email sender/authenticator's client certificate. Test user 1. 04_Client2_Certificate = Email recipient's client certificate. Test user 2. This is also signed by 01_CA_Certificate. Both client certificates (03_ and 04_) are signed by 01_CA_Certificate. Each of the two client users were added to Outlook's address book and their corresponding certificates (in .cer file format for the address book upload) were uploaded and saved in the addresss book. Note that Outlook requires that their certificates be in the address book before it allows signed and encrypted email to be sent between the sender and recipient. As mentioned above, I had initial attempted the authentication check via tls_verify_hosts = * with 03_Client1_Certificate in Outlook's Trust Center. (CASE A) I had gotten identical errors messages in Exim's mainlog. When I commented out the tls_verify_hosts assignment, I had confirmed that the client certificate was indeed within the received email. Since tls_verify_hosts did not work with the sender's client certificate, I had then proceeded to attempt sending the email by uploading 02_Server_Certificate into Outlook's Trust Center and tried sending with that certificate (CASE B). This yielded the same error as CASE A (and of course is not expected to work given that it should be the client certificate that is sent as per your post). Other settings: Exim was installed from daemon-heavy and thus appears to perform TLS via GnuTLS rather than OpenSSL. The certificates that I have been testing against recently were created via GnuTLS's certtool. TLS relaying is performed on port 587. The Outlook client is on a network within MAIN_RELAY_NETS which is required for authenticating. CASE A is the intended functionality for tls_verify_hosts, correct? I would guess that this is its intended purpose as it seems to offer equivalent certificate authentication security functionality as in MS Exchange. I can't imagine what other purpose would be for tls_verify_hosts than to verify client certificates for authentication. Is there any other info/test that I can provide to help determine whether this is a legitimate bug? -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	[Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by bsgcic :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 jwexler@... changed: What \|Removed \|Added ---------------------------------------------------------------------------- CC\|jwexler@... \| --- Comment #4 from jwexler@... 2008-12-04 23:10:40 --- Addendum: 03_Client1_Certificate and 04_Client2_Certificate are also located in /usr/share/ca-certificates and loaded into /etc/ssl/certs/ca-certificats.crt per the instructions in exim4.conf.template. I have confirmed they are listed in /etc/ca-certificates as well and symbolic links (as .pem) were created for them in /etc/ssl/certs. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	[Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by bsgcic :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 --- Comment #5 from jwexler@... 2008-12-12 05:16:55 --- I'm not sure if this is expected behavior or not. Adding to bug report just in case it helps. Case: Send an email through exim on ServerA for delivery via exim on ServerB. MAIN_TLS_VERIFY_HOSTS nor MAIN_TLS_TRY_VERIFY_HOSTS set in either server. If TLS certificate that exim uses on ServerB is included in /etc/ca-certificates of ServerA (and certificates in correct locations on ServerA), when try to send email through ServerA, get the following error and log entry in ServerA (there is no log entry in ServerB): 2008-12-12 13:45:59 [1589] SMTP connection from [client_ip]:1605 I=[ServerA_ip]:587 (TCP/IP connection count = 1) 2008-12-12 13:46:00 [1610] TLS error on connection from client.domain (client) [client_ip]:1605 (gnutls_handshake): A TLS packet with unexpected length was received. 2008-12-12 13:46:00 [1610] SMTP connection from client.domain (client) [client_ip]:1605 I=[ServerA_ip]:587 closed by EOF 2008-12-12 13:46:00 [1610] no MAIL in SMTP connection from client.domain (client) [client_ip]:1605 I=[ServerA_ip]:587 D=1s C=EHLO,STARTTLS After removing ServerB's certificate from ServerA (and updating /etc/ca-certificates, /etc/ssl/certs/ca-certificates, etc), the email goes through ok. Log entries: ServerA: 2008-12-12 13:49:02 [4850] SMTP connection from [client_ip]:1606 I=[ServerA_ip]:587 (TCP/IP connection count = 1) 2008-12-12 13:49:10 [4876] 1LAzxX-0001Ge-E9 <= sender@domain H=client.domain (client) [client_ip]:1606 I=[ServerA_ip]:587 P=smtps X=TLS-1.0:RSA_ARCFOUR_MD5:16 CV=no DN="" S=8162 id=021301c95c14$f6e0f8d0$e4a2ea70$@com T="ServerA -> ServerB Signed Expect OK 19" from <sender@domain> for recipient@recipient_domain 2008-12-12 13:49:10 [4889] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1LAzxX-0001Ge-E9 2008-12-12 13:49:10 [4889] 1LAzxX-0001Ge-E9 => recipient@recipient_domain F=<sender@domain> P=<sender@domain> R=dnslookup_relay_to_domains T=remote_smtp S=8361 H=recipient_domain [ServerB_ip]:25 X=TLS-1.0:RSA_AES_256_CBC_SHA1:32 CV=no DN="C=US,ST=State,L=City,O=Company LLC,OU=Information Technology,CN=ServerB.domain,EMAIL=sysmail@domain" C="250 OK id=1LAzxd-0001k5-8d" QT=7s DT=0s 2008-12-12 13:49:10 [4889] 1LAzxX-0001Ge-E9 Completed QT=7s 2008-12-12 13:49:13 [4876] SMTP connection from client.domain (client) [client_ip]:1606 I=[ServerA_ip]:587 closed by QUIT ServerB: 2008-12-12 13:49:09 1LAzxd-0001k5-8d <= sender@domain H=ServerA.domain [ServerA_ip] P=esmtps X=TLS-1.0:RSA_AES_256_CBC_SHA1:32 DN="" S=8428 id=021301c95c14$f6e0f8d0$e4a2ea70$@com 2008-12-12 13:49:09 1LAzxd-0001k5-8d => rw-recipient <rw-recipient@domain> R=local_user T=maildir_home 2008-12-12 13:49:09 1LAzxd-0001k5-8d Completed This is repeatable. If add certificate back, it does not go through and same log as before. If then remove again, goes through and same logs for this case as before. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
	[Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007 by Bugzilla from nigel@exim.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message ------- You are receiving this mail because: ------- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=786 --- Comment #6 from Nigel Metheringham <nigel@...> 2009-10-20 13:26:54 --- Unable to understand issue given description and my level of knowledge, so I am leaving it untouched for now... -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##