Re: [exim] smarthost relay problems

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Bill Hacker
Dátum:  
Címzett: exim
Tárgy: Re: [exim] smarthost relay problems
Rob Brenart wrote:

>
>>>
>>
>> There is a simpler way to annotate it, but this should cover it all:
>> =============================================
>>
>> local_interfaces = <your first IP> : <your next IP>
>>
>> # Defaults to all if not mentioned.
>>
>> daemon_smtp_ports = 25 : <second port>: <third port>: <fourth port> :
>> 465 :<fifth port>
>>
>> # defaults to 25 if not mentioned
>>
>> tls_on_connect_ports = 465 : <next port>    (( those ones will work 
>> the old SSL protocol))

>>
>> #defaults to none, AFAIK, but runs TLS on all.
>> #Note that there is no colon after the last entry.
>>
>> tls_certificate = /usr/local/etc/exim/certs/<your cert filename>
>> #You did generate & install a cert?
>>
>> tls_advertise_hosts = *
>>
>> tls_remember_esmtp = yes
>>
>> # These to get esmtps // esmtpsa TLS end-to-end with hosts that grok it
>>
>> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
>> # there are variations on this
>>
>> ===============================================
>>
> Correct me if I'm wrong, but this help sounds like help for listeners,


Wrong.

This covers *both* other MTA's and MUA's.

> and my trouble is in sending mail to a smarthost, not receiving from...
> the smarthost I'm sending to is what it is, I can't make any changes
> there...


With the above, any host that can and will grok TLS will use it, as it,
and you, will both 'advertise' it at EHLO/HELO, then negotiate whatever
works.

Including 'en claire' if the servers cannot agree on certs and protocol
rev levels.

There is a separate setting to make Exim 'TLS or no speak at all'.

> and the reason SSL & TSL came up is because in my thunderbird
> installation, SSL is what my SMTP is configured to, which makes it
> communicate over port 465.
>

... or other port of your choice, in the case of T-Bird/Mozilla/Netscape.

Count the ports I left without actual numbers... Some support STARTTLS
/ en clair, others SSL/TLS-on-connect or no-deal.


The MUA-to-MTA issue is only superfically related to MTA-MTA handshakes,
but provided for in the config above.

An MUA does an EHLO/HELO equivalent as MTA's do, but many MUA are
broken, and in dfferent ways.

In the case of smtps / SSL / TLS-on-connect, the listener does not send
a banner first, nor does the caller expect one.

In the case of newer SSL3/TLS, the listener provides a banner when the
port is connected to.
The caller waits for this before commencing the EHLO/HELO.

A common problem is trying to get a pure-TLS MUA to connect to an
SSL/TLS-on-connect port.
It waits until 'time out' for a banner that will never come.

Likewise an older SSL-only MUA trying to connect to a newer TLS host.
It speaks without first being spoken to,
and get thrown off by the host for bad manners, AKA 'protocol violations'.

MTA's seldom have these problems, as they *have to* adhere to standards
and shift gears according to the standards.

HTH,

Bill