logs archiveIRC Archive / Freenode / #exim / 2015 / August / 25 / 1
bjornar
When are the acl_smtp_* expanded?
jgh_
on use
MASHtm_
jgh_: if a server sends a certificate+intermediates and I try to connect to it with tls_verify_certificates = ... with exactly the same PEM container missing only the root CA cert ... verification fails on exim but not with openssl s_client or gnutls-cli?
jgh_
I think tls_verify_certificates has to be root certs
MASHtm_
ok... using root CA works, yes
is there a way to verify without chain giving the cert itself?
jgh_
verify what?
MASHtm_
the exactly same certificate. one host uses it as server, the other should verify it as client
jgh_
you're asking for the client to verify it without the server sending anything to be verified?
MASHtm_
no, the server sends the certificate and i want the client to verify it at depth=0 instead of depth=2
by giving him the cert at depth=0 as well
         

jgh_
let's step back a way. What are you trying to do?
MASHtm_
I have a server certificate/key pair signed by a public CA with one intermediate inbetween. my LMTP server uses this.
exim 4.86 complained about not being able to verify it connecting as LMTP client... this has a second topic as well, but let's queue that for now...
so I set tls_verify_certificates = ... to the same certificate file the server uses on the smtp(lmtp mode) transport.
using this file as --x509cafile with gnutls-cli works and verification succeeds. but exim complains about the missing root-CA
setting the CA-bundle on exim in the transport works.
and the second topic... exim 4.86 seems to ignore the global tls_verify_certificates =
I've set a global one for very long time and it worked up to 4.85. only the single host running 4.86 complains until I set it locally in the transport
jgh_
the main-configuration option is not a global, but applies to exim-as-server connections
MASHtm_
ah, i see the change in the changelog.... try_verify_hosts is default...
bjornar
Can I set a new local_part in rcpt acl .. for example when expanding prvs
jgh_
no
bjornar
so not possible to use local_parts here..
steedp3
I am trying to whitelist only mailchimp's servers with /etc/exim4/local_sender_blacklist. I know it is effective because I am using it also to whitelist a few domains, here is what I have: https://pastee.org/9vvxq, but mail is still being rejected by exim with the message: https://pastee.org/e7uk8 (redactions mine).
Any idea what could be wrong?
The IP given in the log is within the range in the config
I got the ranges from here: http://mailchimp.com/about/ips/
jgh_
since you use the term "exim4" this may be a Debian-specific issue. We don't know, eg, how that blacklist file is used by your config
bjornar_
What is the enhanced status code for "domain is not local" or whatever
X.1.8 Bad sender's system address 451, 501
no..
« prev next »