Package: exim4-base
Version: 4.96-15+deb12u1
Severity: normal
Hello,
When using built-in on-connect auto-generated self-signed certificates (i.e.,
not installing "real" SSL/TLS certificates), the ones that are auto-generated
appear to have a date in the past (1970-01-01 02:00:00 UTC) as their end date:
glimmer:~$ gnutls-cli --starttls-proto=smtp 127.0.0.1
Processed 140 CA certificate(s).
Resolving '127.0.0.1:smtp'...
Connecting to '127.0.0.1:25'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=glimmer.localdomain,O=Exim Developers,C=UK', issuer
`CN=glimmer.localdomain,O=Exim Developers,C=UK', serial 0x0100000000000000, RSA
key 3072 bits, signed using RSA-SHA256, activated `2023-08-07 17:40:16 UTC',
expires `1970-01-01 02:00:00 UTC',
pin-sha256="40P5jkI8FD97/oh+CYdi4BJH1nfhpfk0BFH/25j3yK4="
Public Key ID:
sha1:179da7ef14d6fdcea2d6894405c3531976f5b4df
sha256:e343f98e423c143f7bfe887e098762e01247d677e1a5f9340451ffdb98f7c8ae
Public Key PIN:
pin-sha256:40P5jkI8FD97/oh+CYdi4BJH1nfhpfk0BFH/25j3yK4=
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
The certificate chain uses expired certificate. The name in the certificate
does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
glimmer:~$ openssl s_client -starttls smtp -connect 127.0.0.1:25 -showcerts <
/dev/null
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = UK, O = Exim Developers, CN = glimmer.localdomain
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = UK, O = Exim Developers, CN = glimmer.localdomain
verify error:num=10:certificate has expired
notAfter=Jan 1 02:00:00 1970 GMT
verify return:1
depth=0 C = UK, O = Exim Developers, CN = glimmer.localdomain
notAfter=Jan 1 02:00:00 1970 GMT
verify return:1
---
Certificate chain
0 s:C = UK, O = Exim Developers, CN = glimmer.localdomain
i:C = UK, O = Exim Developers, CN = glimmer.localdomain
a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 7 17:40:16 2023 GMT; NotAfter: Jan 1 02:00:00 1970 GMT
-----BEGIN CERTIFICATE-----
MIIECjCCAnKgAwIBAgIIAQAAAAAAAAAwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
BhMCVUsxGDAWBgNVBAoTD0V4aW0gRGV2ZWxvcGVyczEcMBoGA1UEAxMTZ2xpbW1l
ci5sb2NhbGRvbWFpbjAeFw0yMzA4MDcxNzQwMTZaFw03MDAxMDEwMjAwMDBaMEUx
CzAJBgNVBAYTAlVLMRgwFgYDVQQKEw9FeGltIERldmVsb3BlcnMxHDAaBgNVBAMT
E2dsaW1tZXIubG9jYWxkb21haW4wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
AoIBgQDGRNkITNJlkX7AuyCPPtsjyPXR0sPBi4AYCRAl+z6CDj5FnsS4Z9livnkj
gqImvcjPfCG4jgezIeOysrKMiDXKQ+qglVFRGrvEPBHyqdA1M184Ul3MqJhbhiKW
Gd1t9ApY8oaXE4KWQKMIaZccKWtGtwobe5RkqLbcCT3YzxXGiUIUogaYA1iaKlc+
08eCP4NoUZRpQG7Anl5QZAwrxqNx+VIc2rWcBl8QAXJ6+Fuo0QztXxEgYvKLZ3he
xgvT9d/Is5oOqHplzfuJTXlslDbyKCZICwwBiDg2zywa/B2ai769nJzTks1tOp10
2ZxtpV0qUV1QPH1nuus9hElEl6rzW7riI9ptrDQR8Jc3CmjCHcy6g8f+ZJTrB4Z3
sYwCXfZZo1W5nd+DNY9hhQatCYx5Tnz72vzOvRW+Jcjh6FMTEXi8akYvlFyXy+Op
4M5QKCoIPigOaUiu4+RAtKdV5sJJuBJ0VoF5T/K3QIfgWejdpORbxiZU4710FWAW
flBIl2UCAwEAATANBgkqhkiG9w0BAQsFAAOCAYEABpatvsQ+KjWFp+TskSYyVoib
Vsii1l2y99Dg6nxy8PGQz3hlt/olhIYwN3+X/DNL0Wrn6Rgx1HIeQICbMYryoKg3
Fv1+iqlLOtTYJ/kJJl1Gjx2PbOTrFlEcsP49dAHkHn+Jfvfb2k3LwsELv/Xs7+8N
qKp7lg+wwmEwCy5lAJDf/i9SF3kJFBm/HHt01MaHFpVo8zP02MoL2KRjBQOUAcRl
bxHkt7NZV+bpBFZxAJBJlJLqaCwwtYdfpgUytXxiOiHPOWBgL2vhBqGIuddha69W
6ISHD9auJuX1dxsyg7wWYhlt0P4JCPSXSfYx3vXY6kzQ3Snctwz3hVup4URsKtdJ
PvnEXUfLQwNE2Vg3Z4j6YL3y6xMFX0BpwiCIpgcRXv2KfoD/KG2NscXygXW+bYvb
3alu3U8KPVGFDToOleWmZ/1dCXZMv8fctsJD+tD3tvX07fEVa9TpI0tANM2tc0QH
BVVr/G5fBDmBcXc9ADmbUIT8yJ/JSXdCuskG35+M
-----END CERTIFICATE-----
---
Server certificate
subject=C = UK, O = Exim Developers, CN = glimmer.localdomain
issuer=C = UK, O = Exim Developers, CN = glimmer.localdomain
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1992 bytes and written 410 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 3072 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
250 HELP
DONE
I would have expected the auto-generated certificates to have at least some
limited validity period.
Best regards
Björn
-- Package-specific info:
Exim version 4.96 #2 built 02-Jul-2023 12:56:17
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS TLS_resume move_frozen_messages DANE
DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR Queue_Ramp SOCKS SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 external plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is
/etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='local'
dc_other_hostnames='glimmer;localhost.localdomain'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:glimmer.localdomain
# /etc/default/exim4
EX4DEF_VERSION=''
# 'combined' - one daemon running queue and listening on SMTP port
# 'no' - no daemon running the queue
# 'separate' - two separate daemons
# 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4.
# 'nodaemon' - no daemon is started at all.
# 'queueonly' - only a queue running daemon is started, no SMTP listener.
# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4
QUEUERUNNER='combined'
# how often should we run the queue
QUEUEINTERVAL='30m'
# options common to quez-runner and listening daemon
COMMONOPTIONS=''
# more options for the daemon/process running the queue (applies to the one
# started in /etc/ppp/ip-up.d/exim4, too.
QUEUERUNNEROPTIONS=''
# special flags given to exim directly after the -q. See exim(8)
QFLAGS=''
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /run/exim4/exim.pid
SMTPLISTENEROPTIONS=''
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-10-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages exim4-base depends on:
ii adduser 3.134
ii cron [cron-daemon] 3.0pl1-162
ii debconf [debconf-2.0] 1.5.82
ii exim4-config [exim4-config-2] 4.96-15+deb12u1
ii libc6 2.36-9+deb12u1
ii libdb5.3 5.3.28+dfsg2-1
ii netbase 6.4
ii systemd-sysv 252.12-1~deb12u1
Versions of packages exim4-base recommends:
ii mailutils [mailx] 1:3.15-4
ii psmisc 23.6-1
Versions of packages exim4-base suggests:
ii emacs-nox [mail-reader] 1:28.2+1-15
pn exim4-doc-html | exim4-doc-info <none>
pn eximon4 <none>
ii file 1:5.44-3
ii gnutls-bin 3.7.9-2
ii mailutils [mail-reader] 1:3.15-4
ii openssl 3.0.9-1
pn spf-tools-perl <none>
pn swaks <none>
-- debconf information:
exim4-base/drec:
exim4/purge_spool: false
