Re: [exim] Help with TLS and SMTP

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Eric A. Bonney
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Help with TLS and SMTP
Hi Dan:

Thanks for the direction. I actually had to remove the following (well
commented them out actually)

tls_verifycertificates
tls_verify_hosts
tls_try_verify_hosts

I am not sure why I had to do that, but then again I am not really
following the documentation very well here that I have read. I am
guessing that these three are to be used if I where supplying a
certificate from my client to Exim4, which I am not. I am just trying to
get a secure connection so that the username/password are not passed in
clear text over the transmission and not having to open up any type of
relay hosts on my server.

I am now able to email from my phone, and any other sites that I use
email from without having to specify any relay-from-hosts items.

Thanks again for the help, that was pretty much my last issue that I had
with my email server.

The only remaining open item that I need to track down is why every time
I connect to my mail server I am asked to accept the certificate, even
though I have already done that. I think it also has something to do
with the fact that I currently have two different domains on this
machine ericbonney.com and bonneycpa.com but the certificate is for
bonneycpa.com. More research to be done there, but that is just a minor
annoyance. :)

Thanks again.

-Eric

Dan_Mitton@??? wrote:
> Eric,
>
> I'm not positive here, but try removing the 'tls_verifycertificates' from
> your configuration. If I'm reading the doc right, I believe that is used
> to verify the sending client certificates. Is Thunderbird using the same
> mycert.crt?
>
> See:
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch39.html#SECID183
>
> Dan
>
>
>
> Please respond to mailinglists@???
> Sent by:        exim-users-bounces@???
> To:     exim-users@???
> cc:      (bcc: Dan Mitton/YD/RWDOE)
> Subject:        [exim] Help with TLS and SMTP
> LSN: Not Relevant
> User Filed as: Not a Record

>
> I am trying to force my users to use TLS when sending out any emails.
> They must authenticate against my MySQL tables also. I think I have the
> authentication stuff down, but I am having issues with the TLS part of
> it. I created a .crt and .key file with the following command:
>
> openssl req -x509 -newkey rsa:1024 -keyout mycert.key -out mycert.crt
> -days 365 -nodes
>
> I then put the .key/.crt file in my /etc/exim4 directory and made sure
> that they where both owned by root, but readable by the user used to run
> the exim4 process.
>
> in my .conf file for exim here is what I have for the tls options:
>
> tls_advertise_hosts = *
> tls_certificate = /etc/exim4/mycert.crt
> tls_privatekey = /etc/exim4/mycert.key
> tls_verifycertificates = /etc/exim4/mycert.crt
> tls_verify_hosts = *
> tls_try_verify_hosts = *
>
> In my acl_check_rcpt I have the following:
> require
>     message = relay not permitted
>     domains = +local_domains : +relay_to_domains

>
> I am not sure what else I should give in order to make this be complete.
> When I telnet into the port and then issue a ehlo example.com command I
> get the following:
> 250-SIZE 52428800
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
>
> When I try to send an email from Thunderbird using one of the domains I
> am hosting I get the following error:
> Sending of message failed.
> The message could not be sent because connection to SMTP server
> mail.example.com failed. The server may be unavailable or is refusing
> SMTP connections. Please verify that your SMTP server setting is correct
> and try again, or else contact your network administrator.
>
> Lastly, the error that is recorded in the logs is as follows:
> TLS error on connection from ([xxx.xxx.x.xxx]) [xxx.xxx.x.xxx]
> (gnutls_handshake): A TLS warning alert has been received.
>
> Sorry for the long email, but I wanted to try and get as much
> information as I currently have to the list. Any help is appreciated and
> if there is anything else that I can provide, please just ask.
>
> Thanks,
> -Eric
>
>