Hello,
now I've cleansed my configuration and deleted /etc/exim4/exim4.conf .
So configuration is now solely running via exim4.conf.template and
dpkg-reconfigure.
The error remains the same: (console output from mainlog and swaks)
<<
vitruvia:~# tail /var/log/exim4/mainlog | grep TLS
2007-06-15 09:26:24 TLS error on connection from
p549948f0.dip.t-dialin.net [84.153.72.240] (no TLS server certificate is
specified)
[... it still doesn't find my certificates, even though I explicitly
defined their path...]
vitruvia:~# swaks -a -tls -q HELO -s localhost -au root -ap '<>'
=== Trying localhost:25...
=== Connected to localhost.
<- 220 vitruvia.dyndns.org ESMTP Exim 4.63 Fri, 15 Jun 2007 09:26:58 +0200
-> EHLO vitruvia.dyndns.org
<- 250-vitruvia.dyndns.org Hello localhost [127.0.0.1]
<- 250-SIZE 52428800
<- 250-PIPELINING
<- 250 HELP
*** STARTTLS not supported
-> QUIT
<- 221 vitruvia.dyndns.org closing connection
=== Connection closed with remote host.
vitruvia:~#
>>
My /etc/exim4/exim4.conf.template's TLS-Section is saying:
<<
# TLS/SSL configuration.
# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = no
#MAIN_TLS_ADVERTISE_HOSTS = *
.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
# Normally, exim4 looks for certificate and key in different files:
# MAIN_TLS_CERTIFICATE - path to certificate file,
# CONFDIR/exim.crt if unset
# MAIN_TLS_PRIVATEKEY - path to private key file
# CONFDIR/exim.key if unset
# You can also configure exim to look for certificate and key in the
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
# precedence over all other settings regarding certificate and key file.
.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE
.ifndef MAIN_TLS_PRIVATEKEY
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY
.endif
# Pointer to the CA Certificates against which client certificates are
# checked. This is controlled by the `tls_verify_hosts' and
# `tls_try_verify_hosts' lists below.
# If you want to check server certificates, you need to add an
# tls_verify_certificates statement to the smtp transport.
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if
exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
# A list of hosts which are constrained by `tls_verify_certificates'. A host
# that matches `tls_verify_host' must present a certificate that is
# verifyable through `tls_verify_certificates' in order to be accepted as an
# SMTP client. If it does not, the connection is aborted.
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif
# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
# not `tls_verify_hosts'), request a certificate and check it against
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
MAIN_TLS_TRY_VERIFY_HOSTS = *
.endif
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.endif
>>
... resulting in this /var/lib/exim4/config.autogenerated: [TLS-related
Sections]:
<<
[first line of the file:] MAIN_TLS_ENABLE = true
[...]
MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = no
.ifdef MAIN_TLS_ENABLE
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE
.ifndef MAIN_TLS_PRIVATEKEY
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY
.endif
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if
exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif
.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
MAIN_TLS_TRY_VERIFY_HOSTS = *
.endif
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.endif
[...]
>>
Regards
Andreas
Magnus Holmgren schrieb:
> On Thursday 14 June 2007 18:57, Andreas Kahl wrote:
>
>> thanks for your tips. Now I finally got 465 open, but no STARTTLS is
>> advertised in a telnet session (no AUTH ist advertised at all):
>>
>
> Are you using exim4.conf or exim4.conf.template? If exim4.conf exists, it is
> used instead of the Debian-specific config system. You previously said that
> you put tls_on_connect_ports = 465 in exim4.conf.
>
>