Re: [exim] www.rellits.com ssl tutorial worked for courier, …

Top Page
Delete this message
Reply to this message
Author: Tommy Butler
Date:  
To: exim-users
CC: Hendrik Brückner
Subject: Re: [exim] www.rellits.com ssl tutorial worked for courier, butnot exim
hbrueckner@??? wrote:

>Hi,
>
>some hints for configuring Exim with TLS:
>
>On Mon, Dec 13, 2004 at 01:33:36PM -0600, Tommy Butler wrote:
>
>
>>I thought I did the right thing when I edited
>>conf.d/main/03_exim-4config_tlsoptions...
>>
>>
>
>Here are the entries of my working '03_exim-4config_tlsoption.
>------------------------
>hostlist auth_over_tls_hosts = *
>
># Defines that you want to log what cipher your exim and the peer's mailer
># uses to encrypt the transaction. It also defines you want to log the 'DN'
># (Distinguished Name) of the certificate of the peer.
>#
>log_selector = +tls_cipher +tls_peerdn
>
># Defines what hosts to 'advertise' STARTTLS functionality to. Setting this
># to * will advertise to all hosts that connect with EHLO, and this is a
># good default
>#
>tls_advertise_hosts = *
>
># Defines where your SSL-certificate and SSL-Private Key are located.
># This requires a full path. The files pointed to must be kept 'secret'
># and should be owned my root.Debian-exim mode 640 (-rw-r-----). Usually the
># exim-gencert script takes care of these prerequisites.
>#
>tls_certificate = CONFDIR/tlscert/exim.crt
>tls_privatekey  = CONFDIR/tlscert/exim.key
>tls_dhparam     = CONFDIR/tlscert/private/exim.dhparam
>------------------------
>If the tls_dhparam option is not set, exim will create the dh parameters at startup.

>
>
>>Can anyone tell what's wrong with my setup, and tell me how to fix it?
>>Wow, I really appreciate all the high quality help I've had so far.
>>Exim is very well supported by it's community. (Whether large or small,
>>it's the quality of the help that makes software usable or not, imho.)
>>
>>
>
>BTW: Do you have exim with compiled TLS support?
>Try `exim -bV`. Some like "GnuTLS" or "openssl" should be displayed (e.g.):
>Support for: iconv() IPv6 PAM Perl GnuTLS
>
>

I guess I need to compile my own exim4 then to get TLS support? Is that
what this is telling me?

$ exim4 -bV
Exim version 4.34 #1 built 20-Nov-2004 11:32:14
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 3.2.9: (May 26, 2004)
Support for: iconv() IPv6 PAM Perl GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Contains exiscan-acl patch revision 21 (c) Tom Kistner
[http://duncanthrax.net/exiscan/]
Configuration file is /var/lib/exim4/config.autogenerated

...And if I am going to need to compile my own, which is the better
choice? OpenSSL or GnuTLS, and why?

--
Tommy Butler
tommy@??? <mailto:tommy@atrixnet.com>