Exim certificates

adhawkins · 3 November 2025 14:21

Problem Description

I have an instance of exim in my local network, that is configured to use a mailertable to send mail to certain domains via my sympl host. All other mail is delivered direct.

Since upgrading to Debian 12, I’m finding that mail via the sympl host is not succeeding, reporting a certificate error.

It seems that exim on the sympl host is returning a certificate based on the host name of the box running sympl (seen running the exim delivery in debug mode), despite me telling my local exim to connect to another name on that host. What’s odd is that a copy of Thunderbird I run locally works just fine, delivering mail via the ‘alternate’ name for the sympl host.

Can anyone suggest why these differing certificates are being used?

Any Error Messages

2025-11-03 12:07:36 1vFtLT-006Tf2-30 == <redacted>@gmail.com R=mailertable T=remote_smtp_smarthost defer (-37) H=<redacted> [46.235.227.85]: TLS session: (certificate verification failed): certificate invalid

Environment

Sympl Version: 12.20240820.0
Sympl Testing Version: N/A
Debian Version: 12.12
Hardware Type: MB VM
Hosted With: MB

Kelduum · 4 November 2025 10:24

When doing TLS with other servers and clients, Exim will use the cert associated with the system hostname, so if you don’t have a public domain-name set for the server, third party servers (like Gmail in the example) will likely be upset that the certificate being used isn’t a valid public cert.

adhawkins · 4 November 2025 10:49

Thanks for the info.

Not sure how Thunderbird is ‘working’ when it is using a different hostname to connect?

I guess I might have just told it to trust the certificate at some time in the past?

Andy