Re: [Exim] 2 SSL questions

Top Page
Delete this message
Reply to this message
Author: Matt Bernstein
Date:  
To: Mark Edwards
CC: exim-users
Subject: Re: [Exim] 2 SSL questions
At 00:48 -0700 Mark Edwards wrote:

>1) Is it possible to require clients to make secure SMTP connections? I
>see that you can make Exim request a certificate with tls_verify_hosts and
>fail if the client doesn't provide one, but is it possible to simply make
>Exim only authenticate SMTP connections using SSL? My guess is no, because
>that would interfere with normal delivery of mail, but am I right?


Use the ACLs. Here are some tips (a.b.c.d is the IP address of external
interface you want to listen on):

main config:

local_interfaces = <; [a.b.c.d]:25; [a.b.c.d]:587; \
    [127.0.0.1]:25; [127.0.0.1]:587


auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}
tls_try_verify_hosts = ${if eq{$interface_port}{587}{}{*}}

(this last line is for MUAs like Netscape 4 which grumble at the user if a
client cert is asked for, but one isn't available. Just point them at
a.b.c.d:587.)

near the top of your RCPT ACL:

  accept  authenticated = *
          encrypted = *


  accept  encrypted = *
          verify = certificate


  accept  condition = ${if eq{$interface_port}{587}{1}{0}}
          endpass
          message = AUTH required for port 587
          authenticated = *


your AUTH ACL:

  accept  encrypted     = *
  accept  condition     = ${if eq{${uc:$smtp_command_argument}}{CRAM-MD5}{yes}{no}}
  accept  hosts         = localhost
  deny    message       = STARTTLS required before AUTH


>2) I have Exim set up to advertise TSL/SSL to all hosts, using a
>self-signed certificate. It works with most hosts, but Outlook Express Mac
>fails if I have "use SSL" checked. Is this just because of the
>self-signing, or is there some trick to making Outlook Express work with
>Exim using SSL?


There are two ways to do SSL. Lookout Express tends to use the "ssmtp"
variant on port 465 where the whole conversation is encrypted. Use
"stunnel -d 465 -r 587" to slot into the above config, but it'll look like
all your mail has come from localhost.

Alternatively use the -tls-on-connect option. Unfortunately this is only a
command-line option, and you can't do something snazzy like:

tls_on_connect = ${if eq{$interface_port}{465}{1}{0}}

HTH,

Matt