[exim] Problems getting TLS working

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Wayne Pascoe
Datum:  
To: exim-users
Betreff: [exim] Problems getting TLS working
Hi all,

I'm trying to get TLS working, and I want to authenticate against my
courier authdaemon. I want my mail server to require auth before it
will relay mail. I'm using Exim 4 on Gentoo.

I've tried the instructions at http://www.exim.org/mail-archives/exim-
users/Week-of-Mon-20050307/msg00180.html but I'm still having problems.

For starters, I'm not sure it's authenticating when my machine
connects. I'm using Mail.app on Apple, and when I try and send a
mail, I see the following message in my exim log file:
2005-09-20 23:00:49 TLS error on connection from ([192.168.10.5])
[192.168.10.5] (SSL_CTX_load_verify_locations): error:00000000:lib
(0):func(0):reason(0)

I have the following sections in my exim configuration file:

Global Settings
tls_certificate = /etc/exim/exim.crt
tls_privatekey = /etc/exim/exim.key
tls_advertise_hosts = *
tls_verify_hosts = *
tls_verify_certificates = /etc/exim/cacerts.pem

I created the pem file by doing
openssl req -new -days 3650 -nodes -config smtp.cnf -out smtp.pem -
keyout smtp.pem and
and then moving smtp.pem to /etc/exim. The CN in the configuration
file is the host name that my mail clients use to connect to the server.

TRANSPORTS
remote_smtp:
driver = smtp
interface = xx.xx.xx.xx
hosts_require_tls = *
tls_certificate = /etc/exim/exim.crt
tls_privatekey = /etc/exim/exim.key

AUTHENTICATORS
plain:
   driver = plaintext
   public_name = PLAIN
   server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
   server_condition = ${if eq {${readsocket{/var/lib/courier/ 
authdaemon/socket} \
                    {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin 
\n$1\n$2\n}}}{FAIL\n} {no}{yes}}
   server_set_id = $2


Can anyone advise me what I've missed or what I'm doing wrong ?

Any help would be gratefully appreciated! I'm heading out of the
country for a while, and I want to be able to relay mail through my
main server. I also want to setup SPF when I get back, and I believe
that this is an essential first step.

Thanks in advance,

-- 
Wayne Pascoe    (gpg --keyserver www.co.uk.pgp.net --recv-keys 79A7C870)
The time for action is passed. Now is the
time for senseless bickering.