That wasn't easy - but I finally have a working conf file.
I'm running exim-3.33
This conf file is set up for a bi-directional setup for testing. I'm hoping
for some feedback so I can clean it up for others. I marked some ify parts
with '???'.
It should authenticate and send encrypted mail back and forth - as if one
was moving sensitive info over the public Internet, between two company
locations.
Some tips -
* The standard exim.conf file is missing the "end" statement in the
"Authentication Configuration" section
* auth_hosts and authenticate_hosts seem to be two different statements.
authenticate_hosts seems to need to be in the SMTP section for clients -
auth_hosts returns an error. ???
* See
http://xtronics.com/exim/auth-tls-template
########### CRAM-MD5 with TLS sample config #################
# you need to create a user on the systems tls__{$hostname} ???
# server_name is a host name (i.e. for powerful.example.com it is
'powerful')
# clients_name is your client's host name
# example.com is your domain name (for both client and server)
# client.example.com.ip is the clients IP address (to eliminate DNS
lookups???)
#
# client_password is the client password
# server_password is the server password
######################################################################
# MAIN CONFIGURATION SETTINGS #
#-----------------<SNIP>----------------------------------------------
#### tls settings
auth_always_advertise = false
auth_hosts = client.example.com.ip
auth_over_tls_hosts = client.example.com.ip
host_auth_accept_relay = client.example.com.ip
tls_hosts = client.example.com.ip
tls_host_accept_relay = client.example.com.ip
tls_advertise_hosts = client.example.com.ip
tls_verify_hosts = client.example.com.ip
tls_verify_certificates = /etc/exim/secure/clients_name.crt
tls_certificate = /etc/exim/secure/servers_name.crt
tls_privatekey = /etc/exim/secure/servers_name.key
tls_log_cipher
tls_log_peerdn
tls_verify_ciphers = DES-CBC3-SHA:IDEA-CBC-MD5
#-----------------<SNIP>----------------------------------------------
end
######################################################################
# TRANSPORTS CONFIGURATION #
#-----------------<SNIP>----------------------------------------------
remote_smtp:
driver = smtp
tls_certificate = /etc/exim/secure/poland.crt
tls_privatekey = /etc/exim/secure/poland.key
tls_verify_ciphers = DES-CBC3-SHA:DES-CBC3-MD5
tls_verify_certificates = /etc/exim/secure/kiwi.crt
authenticate_hosts = 206.52.159.34
#-----------------<SNIP>----------------------------------------------
end
######################################################################
# DIRECTORS CONFIGURATION #
#-----------------<SNIP>----------------------------------------------
end
######################################################################
# ROUTERS CONFIGURATION #
#-----------------<SNIP>----------------------------------------------
end
######################################################################
# RETRY CONFIGURATION #
* * F,2h,10m; G,16h,1h,1.5; F,14d,8h
end
######################################################################
# REWRITE CONFIGURATION #
end
######################################################################
# AUTHENTICATION CONFIGURATION #
client_name_cram:
driver = cram_md5
public_name = CRAM-MD5
client_name = tls_clients_name
client_secret = client_password
server_secret = server_password
server_set_id = $1
end
#### the above 'end' is not in the stock Conf file.
# End of Exim configuration file
------------------------------------------------
Karl Schmidt (ks150) EMail Karl@???
Transtronics, Inc. WEB http://xtronics.com
3209 West 9th Street Ph(785) 841-3089
Lawrence, KS 66049 FAX(785) 841-0434
