Re: [Exim] AOL blocks SSL/TLS?

Página Inicial
Delete this message
Reply to this message
Autor: James P. Roberts
Data:  
Para: exim-users
Assunto: Re: [Exim] AOL blocks SSL/TLS?
Problem solved, with extensive thanks to the kind and intelligent people
on this list.

In the end, in order to support an Outlook Express 6.0 client, over an
AOL dial-up connection, requiring SSL/TLS before SMTP AUTH, I learned
the following items:

(1) AOL diverts all packets destined to port 25 on any server, and
intercepts it with their own SMTP relay machine, which does not support
TLS. There are rumored to be other ISP's that do the same thing.

(2) There exist two other "standard" ports for SMTP communications.
Port 587 is specified by RFC and is also found in the default
/etc/services in a RedHat 7.1 Linux installation, listed as
"submission." Port 465 is also specified by RFC, and is listed in
/etc/services as "smtps".

(3) Port 587 ("submission") can be used by Netscape email client, and I
have set my Exim to listen on that port, as well as 25. I have not
tested it from a Netscape client, yet. I may yet have to use Stunnel on
that port (see below).

(4) Outlook Express (OE) can be configured to use pretty much any port
for SMTP. But, it does not recognize adding the port number to the SMTP
server address, unfortunately. It has to be set on the
"Tools/Accounts/Properties/Advanced" tab, same place as the "this server
requires SSL" check box.

(5) If you tell OE to use port 25 AND encryption, for SMTP, it attempts
STARTTLS, but only if STARTTLS is advertised by the server. (Except AOL
can hi-jack it, causing it to fail, because AOL does not support TLS -
i.e. my original problem). If the server does not advertise STARTTLS,
the connection from OE fails, even if the server actually supports it.

(6) If you tell OE to use any port other than 25, AND encryption, it
transmits only scrambled messages, including the "EHLO" message. It
apparently assumes the port is expecting encrypted messages.

(7) By setting Stunnel to listen on that port, and simply have it
redirect the connection to localhost:25, and also negotiate "smtps" (see
below), it works! This eliminates the "dropped connection" error
(0x800CCC0F) that OE gives when using encryption to any port other than
25.

Specifically, I used the following xinetd config statements:

service smtps
{
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/stunnel
        server_args     = -r 25 -n smtp
        log_on_success  += USERID
        log_on_failure  += USERID
        disable         = no
}


I also made sure I permitted "smtps" (aka port 465) TCP connections to
my server through the firewall.

I suspect I am going to have problems the first time I get a customer
that uses Netscape email, and also uses an ISP that hi-jacks SMTP
traffic. I hope Stunnel will solve that problem as well. But maybe
Netscape does not have the same problems as OE.

Finally, I understand the reason that AOL does this. Although I still
find it distasteful, and even immoral, I have to admit I understand that
they do it in order to prevent spammers from abusing AOL to transmit
emails to open relays. "The ends do not justify the means." But,
thanks to certain calm-headed people on this list, I at least understand
the reason. And thanks to you, I was able to find a useable
work-around.

By the way, the work-arounds suggested (just have Exim listen on an
additional port) work fine without SSL/TLS. But, I had to take the
extra steps outlined above to be able to retain that security feature.

Thank you again!

Jim Roberts
President
Punster Productions, Inc.