TLS verify=NO

Hi therer
I configured our sendmail for TLS and this works pretty well. The only
detail I'm wondering is, that incoming emails from a specific
mailserver are logged with "verify=NO" and outgoing emails to the
exact same mailserver are logged with "verify=OK" (what I would expect
because I installed the ca certificate).


So here is a logentry which shows the ssl handshake for an outgoing
email:

Oct 18 12:04:40 mailserver sendmail[10100]: [ID 702911 mail.info]
STARTTLS=client, relay=mail.company.com., version=TLSv1/SSLv3,
verify=OK, cipher=RC4-MD5, bits=128/128

and here is a logentry for an incoming email:

Oct 18 17:20:44 ns1b sendmail[6482]: [ID 702911 mail.info]
STARTTLS=server, relay=[x.x.x.x], version=TLSv1/SSLv3, verify=NO,
cipher=RC4-MD5, bits=128/128

Please note the state of verify in these messages. The only difference
I notice is that the incoming emails are send from relay=
and the ip-address is not resolvable reverse. But according the docus
verify=NO means that there is not even a certificate presented.

Thanks for any hints

Re: TLS verify=NO

In article <1192721679.767375.48950@e34g2000pro.googlegroups.com> Stifi
writes:
>I configured our sendmail for TLS and this works pretty well. The only
>detail I'm wondering is, that incoming emails from a specific
>mailserver are logged with "verify=NO" and outgoing emails to the
>exact same mailserver are logged with "verify=OK" (what I would expect
>because I installed the ca certificate).
>
>
>So here is a logentry which shows the ssl handshake for an outgoing
>email:
>
>Oct 18 12:04:40 mailserver sendmail[10100]: [ID 702911 mail.info]
>STARTTLS=client, relay=mail.company.com., version=TLSv1/SSLv3,
>verify=OK, cipher=RC4-MD5, bits=128/128
>
>and here is a logentry for an incoming email:
>
>Oct 18 17:20:44 ns1b sendmail[6482]: [ID 702911 mail.info]
>STARTTLS=server, relay=[x.x.x.x], version=TLSv1/SSLv3, verify=NO,
>cipher=RC4-MD5, bits=128/128
>
>Please note the state of verify in these messages. The only difference
>I notice is that the incoming emails are send from relay=
>and the ip-address is not resolvable reverse. But according the docus
>verify=NO means that there is not even a certificate presented.

It's not clear why you would expect anything else, but then you didn't
say much about how you actually set things up - you do realize that the
certificate authentication process is totally independent for the two
cases? A SSL/TLS client will offer a client certificate only if it a)
has one that b) is signed by one of the CAs that the server says that it
has certs for. So if you set it up to work in one direction, you need to
do the same thing (but with reversed client/server certs) for the other
direction. Possibly all that is missing is that "ns1b" needs the cert of
the CA that signed "x.x.x.x"'s cert (client IP addresses and their
resolvability is irrelevant as far as SSL/TLS goes).

--Per Hedeland
per@hedeland.org