Autor: W B Hacker Data: A: exim users Assumpte: Re: [exim] Using TLS to encrypt SMTP traffic...
jtelep@??? wrote: > I'm not sure that I even have the subject of this message accurate. I am
> trying to make sure that I understand this encryption scheme correctly.
> Please can someone correct me if I am wrong on the next statement:
>
> If I configure my Exim4 server to use TLS then the order of the way things
> should work after that is:
>
> 1. I request an SMTP connection to my server
> 2. It responds and initiates a TLS connection with the client.
> 3. I then authenticate using something like SASL and don't need to worry
> about the username or password being "sniffed" or intercepted in any other
> way.
>
> Thanks,
>
> Jon
>
>
'use TLS' can apply to more than one place in Exim.
There are commonly two places, and three variations where encryption comes into
play:
- esmtp, used to *offer* TLS encryption to distant hosts submitting incoming
traffic on your port 25, and to *request* TLS of distant host port 25 to which
your server wishes to send. You can force this, but not all remote hosts can or
will be able to comply, so best to do that only in a corporate private network,
else you will cut-off some traffic. IOW - a good idea to enable it, but not to
insist on it.
Typical settings include:
daemon_smtp_ports = 25 : 465 : 587
tls_certificate = /usr/local/etc/exim/certs/<cert name or number>
tls_advertise_hosts = *
An optional setting is:
tls_remember_esmtp = yes
2) - esmtp(s/a) - used to encrypt BOTH UID:password AND message traffic
submitted from your MUA to your mail server. SSL/TLS 'forced' on the submission
port(s) for authentication and subsequent traffic. Once in place, further
'secure' password exchange mehtods are optional, as even 'plain' is now inside
an SSL/TLs 'tunnel'. With server settings you can force *all* of your user MUA's
to use SSL/TLS when authenticating - generally a very good idea, as all modern
MUA support it - even MS broken ones.
(be aware port 465 is in most MUA for legacy always-on 'SSL' but has been
officially reassigned for other use WEF February 2006)
3) - use to (attempt to) protect the UID:password exchange, but not the message
traffic. SASL, by itself, does not apply encryption of any kind to the headers
or body of the message, only the login.
Further research of the docs can expand your familiarity with Exim's setup for
each of these.