Exim as an SSL/TLS client
How to configure exim version 4 to provide a client certificate when transfering mail over an SSL/TLS connection.
First published on May 4, 2005
At some point in the (hopefully) near future, I’ll be moving my main mail server out of my house to co-lo facility. I want all my home machines to relay mail through that box, and I want those connections verified via SSL-certificate checking.
So I built my own little certificate authority and generated certs for each host on my network.
I’m pretty familiar with the
m4 configuration process for
so telling local hosts running
sendmail how to offer up a client
certificate was pretty easy: just add
confCLIENT_KEY definitions and rebuild
Harder—well, more obscure—was getting
exim4 to offer up a client cert.
The exim4 config file has settings for
tls_privatekey, but they’re only good when exim is acting as a server;
they don’t apply to exim as a client.
The answer wasn’t documented at all in the comments in the exim4 config
stuff, nor was it in the
README.TLS file. Instead, buried in the FAQ
is this little gem:
A1705: This means that the clients have not sent certificates when asked by the server to do so. If the clients are running Exim, check that tls_certificate is correctly set in their smtp transports. Note that this value is not automatically inherited from the global tls_certificate option.
What that means in practice is that your remote_smtp transport definition needs a bit of tweaking, e.g.,
remote_smtp: debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp tls_certificate = CONFDIR/exim.crt