[exim] FYI

This is the solution I have proposed for the authenticated SMTP over TLS
incorporating a fudge for OE user on AOL who need to use SMTPS.

Thank you all very much for your input on this. Any comments,
corrections appreciated.


Once upon a time in the land of A-O-Hell the evil ones decided to
capture all their users email.

OK in a nutshell this is the problem

AOL do not allow any port 25 traffic to leave their network unless it
comes from their own mail server. This gives three immediate problems.

1. Authenticated SMTP does not work as per our instructions, because it
uses their server and not ours (staff-mailout)

2. Sites that use SPF may reject users email because it says it is from
lboro but comes from a server with no lboro mx record.

3. AOL may filter out users email as a false positive, and the user will
think we did it because their client is configured to use our server.

So we really want all our users email to go through our server.

AOL state that if you want unfiltered email to go off of their network
then to use port 587.

The simple solution is to get users on AOL to use port 587 for sending
email, then get our server to listen on port 587 as well as port 25.
This works for all proper, standards compliant email clients, however it
does not work for OE (well it wouldn't would it).

The Problem

SSL (secure socket layer) or as it is more often know now TLS (transport
level security) should work in the following way.

Client connects to serve with EHLO
Server advertises Start-TLS service
Client requests Start-TLS
Client reconnects with SSL connection
Server advertises AUTH-SMTP
Client requests AUTH-SMTP
authentication takes place over secure encrypted link.

OE does indeed support this on port 25, however because some stooopid
programmer at MS decided that if you use any other port than port 25 you
must want to use the old SMTPS protocol.

This is similar to above, but dives in straight away with an SSL
connection, does not wait to see what is advertised and does not request
Start-TLS. As this often broke servers that did not support TLS it was
dropped years ago (but sadly OE still uses it by default for any port
other than 25).

There is a way of getting around this, you can load exim with a command
line parameter of -tls-on-connect which means it will look for a tls
connection straight away without any negotiation. This fixes the problem
for all OE users (Huraah!) but it then breaks the service for all none
OE users (booo!).

So we need two versions of exim one doing the normal standard stuff and
one doing -tls-on-connect. I have set this up on the test server in the
following way.

Standard exim, loads from /etc/init.d/exim as per normal, using normal
config file. listens on port 25 and port 587.

exim-aol loads from /etc/init.d/exim-aol which has the following line to
load exim

daemon exim -bd -q15m -tls-on-connect -C /usr/local/exim/configure-AOL

you will notice that this uses the -tls-on-connect and uses a seperate
config file which is identical to the ordinary configure file except it
tells it to only listen on port 465 (which is the old standard SMTPS
port). So now we have two exim daemons running one listening for
standard authenticated smtp on port 25 and 587
and one listening for smtps on port 465. They both write to the same log
file which seems to work.

The following is what we need to tell users

All normal users use port 25
AOL users
OE AOL users use port 465
None OE users use port 587

We could use other ports but these are the standard ones, remember AOL
is only blocking port 25.

Thoughts please.


--
Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329