Hello,
thanks for your tips. Now I finally got 465 open, but no STARTTLS is
advertised in a telnet session (no AUTH ist advertised at all):
<<
vitruvia:~# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 vitruvia.dyndns.org ESMTP Exim 4.63 Thu, 14 Jun 2007 18:56:20 +0200
EHLO vitruvia.dyndns.org
250-vitruvia.dyndns.org Hello localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250 HELP
AUTH
503 AUTH command used when not advertised
quit
221 vitruvia.dyndns.org closing connection
Connection closed by foreign host.
vitruvia:~# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
vitruvia:~#
>>
I am using the courier-authdaemon authenticator.
/var/log/exim4/mainlog says:
<<
2007-06-14 18:48:54 TLS error on connection from
p5499446f.dip.t-dialin.net [84.153.68.111] (no TLS server certificate
is specified)
>>
I generated the certificate-files with
|/usr/share/doc/exim4-base/examples/exim-gencert and they're definetly
in the correct location (/etc/exim4/exim.crt/pem)|.
TLS is configured in my /etc/exim4/exim4.conf.template as follows:
<<
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTIFICATE = yes
MAIN_TLS_PRIVATEKEY = yes
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = no
.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
# Normally, exim4 looks for certificate and key in different files:
# MAIN_TLS_CERTIFICATE - path to certificate file,
# CONFDIR/exim.crt if unset
# MAIN_TLS_PRIVATEKEY - path to private key file
# CONFDIR/exim.key if unset
# You can also configure exim to look for certificate and key in the
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
# precedence over all other settings regarding certificate and key file.
.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE
.ifndef MAIN_TLS_PRIVATEKEY
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY
.endif
# Pointer to the CA Certificates against which client certificates are
# checked. This is controlled by the `tls_verify_hosts' and
# `tls_try_verify_hosts' lists below.
# If you want to check server certificates, you need to add an
# tls_verify_certificates statement to the smtp transport.
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if
exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
# A list of hosts which are constrained by `tls_verify_certificates'.
A host
# that matches `tls_verify_host' must present a certificate that is
# verifyable through `tls_verify_certificates' in order to be accepted
as an
# SMTP client. If it does not, the connection is aborted.
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif
# A weaker form of checking: if a client matches
`tls_try_verify_hosts' (but
# not `tls_verify_hosts'), request a certificate and check it against
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
MAIN_TLS_TRY_VERIFY_HOSTS = *
.endif
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.endif
>>
Additionally mentioning
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.pem
in /etc/exim4/exim4.conf doesn't have any effect.
I don't have any idea what else to read or try. Any ideas?
Regards
Andreas
Mitchell Cannon schrieb:
> "/etc/init.d/exim4 restart" should do it - assuming that you're
> using split configs /etc/exim4/exim4.conf.localmacros is a funky
> place to put a split config file in the conf.d substructure.. If
> you're not using split configs, then you should insert that line
> into the head of your main config file somewhere.
>
> For the record, on my Etch system, I put "MAIN_TLS_ENABLE = yes"
> (not true) in the top of my
> /etc/exim4/conf.d/main/01_exim4-config_listmacrodefs running the
> split configuration. I also copied the auth method I wanted to use
> from /etc/exim4/conf.d/auth/30_exim4-config_examples and placed it
> into /etc/exim4/conf.d/10_exim4-config_sasld (being that sasl2
> with pam is what I decided to use - extra packages were required
> for that and I suggest googling around should you choose to use
> that kind of auth). If you're not using split configs then I would
> say that you're needing to put MAIN_TLS_ENABLE into the top of your
> main .conf file somewhere.
>
> On Thu, 2007-06-14 at 12:25 +0200, Andreas Kahl wrote:
>> Peter Bowyer schrieb:
>>> On 13/06/07, Andreas Kahl <Andreas_Kahl@???
>>> <mailto:Andreas_Kahl@gmx.net>> wrote:
>>>
>>>> Hello,
>>>>
>>>> by now I tryed to activate Port 465 for SMTP-TLS Connections
>>>> and tested that via telnet. I added these lines at the very
>>>> beginning of my Main-Section of /etc/exim4/exim4.conf:
>>>>
>>>> << MAIN_TLS_ENABLE = true SMTPLISTENEROPTIONS='-oX 465:25 -oP
>>>> /var/run/exim4/exim.pid' tls_on_connect_ports=465
>>>>
>>>
>>> Hmm, not sure how those daemon options get extracted from your
>>> exim config file - did you put them in the right place? Don't
>>> know what package/config system you're using, but the daemon
>>> options need to go where the exim daemon gets started from ,
>>> which isn't the config file...
>>>
>>> Peter
>>>
>>>
>> I now put MAIN_TLS_ENABLE = true into
>> /etc/exim4/exim4.conf.localmacros instead of /etc/exim4.conf . I
>> am using a Debian Etch and initially configured exim4 via dpkg
>> --reconfigure.
>>
>> By the way, I now also tested my SMTPLISTENEROPTIONS manually via
>> debug output - and that works:
>>
>> << vitruvia:/etc/exim4# exim -d+acl+auth -oX 465:25 -bd -oP
>> /var/run/exim4/exim4.pid Exim version 4.63 uid=0 gid=0 pid=8146
>> D=fbb95cfd Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29:
>> (September 6, 2005) Support for: crypteq iconv() IPv6 PAM Perl
>> GnuTLS move_frozen_messages Content_Scanning Old_Demime Lookups:
>> lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
>> dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
>> Authenticators: cram_md5 cyrus_sasl plaintext spa [...]
>> originator: uid=0 gid=0 login=root name=root 8146
>> daemon_smtp_port overridden by -oX: 8146 <: 465: 25 8146
>> listening on all interfaces (IPv6) port 465 8146 listening on all
>> interfaces (IPv4) port 465 8146 listening on all interfaces
>> (IPv6) port 25 8146 listening on all interfaces (IPv4) port 25
>> 8146 pid written to /var/run/exim4/exim4.pid 8146 changed
>> uid/gid: running as a daemon [...]
>>>>
>>
>> With that telnet works: << vitruvia:~# telnet localhost 465
>> Trying 127.0.0.1... Connected to localhost. Escape character is
>> '^]'. Connection closed by foreign host. vitruvia:~#
>>
>>>>
>>
>> So the question still is how to put that into the configuration
>> file to take any effect.
>>
>> Regards Andreas