SSL/TLS recipe (was Re: [Exim] TLS on a port other than 25)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Matt Bernstein
Datum:  
To: exim-users
Alte Treads: Re: [Exim] TLS on a port other than 25
Betreff: SSL/TLS recipe (was Re: [Exim] TLS on a port other than 25)
On Feb 15 Philip Hazel wrote:

>The only facility is -tls-on-connect, for legacy clients that use smtps.
>The recommendation is to use inetd to handle this "second version of
>Exim", which of course doesn't actually have to be a second version.


You only need one configuration file and two daemons. No inetd or friends.
Here is a recipe which listens on 25, 465 (ssmtp) and 587 on all local
IPv4 interfaces. It requires either ESMTP AUTH or a client TLS certificate
on port 587, but only advertises AUTH to an SSL/TLS session or localhost.

Maybe others will find this useful. (You need to create your server
certificate, and client certs must be signed by CA-file.pem.)

To start Exim (requires Exim >= 4.03):

    exim -bd -q10m
    exim -bd -oX '[0.0.0.0]::465' -tls-on-connect


..and in exim.conf (main section):

local_interfaces = <; [0.0.0.0]:25; [0.0.0.0]:587
auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}
tls_advertise_hosts = *
tls_try_verify_hosts = ${if eq{$interface_port}{587}{*}{}}
tls_certificate = /etc/exim/server-cert.pem
tls_privatekey = /etc/exim/server-key.pem
tls_verify_certificates = /etc/exim/CA-file.pem

..and in your RCPT ACL (near the top):

  accept  authenticated = *
          encrypted = *


  accept  encrypted = *
          verify = certificate


  accept  condition = ${if eq{$interface_port}{587}{1}{0}}
          endpass
          message = SMTP AUTH or client SSL certificate required for port 587
          authenticated = *