Re: [exim] Exim4, can't send mail with SSL/TLS after upgrad…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Exim4, can't send mail with SSL/TLS after upgrade from Sarge to Lenny?
Daniel Tiefnig wrote:
> timebandit wrote:
>> [ SMTP protocol synchronization error ]
>>
>> I have tried to google and so on and find alot of these errors but no
>> solution. Using no encryption or STARTTLS works but want to use SSL3
>> as I always have.
>
> Hi,
>
> is the port you are connecting to listed in "tls_on_connect_ports"? It
> should be set to something like
> tls_on_connect_ports = 465
> to support SSL encryption on the standard SSMTP port.
>
> br,
> daniel
>


Folks,

Like it or not,

- it is coming up several *years* now that IANA assigned port 465 to a
Cisco-proprietary protocol that has naught to do with smtp.

- further, it never was 'officially' assigned as the smtp submission
port. Though the RFC meandered through donkey's years during which it
was the de-facto if not de-jure usage, the final outcome was to settle
on port 587, and TLS (with a HELO) - not 'classical' SSL (where the
'tunnel' is put in-place on arrival via a different sort of handshake).

- *eventually* MUA will cease (directly) supporting port 465.

- Port 587 *can* be set to tls_on_connect, thereafter also requiring
non-standard MUA config. But configuring MUA to use SSL-only and 587
instead of 465 is not likely to be universally supported foreve.

Some MUA are already are unable to do that.

Bottom line:

- require your user-base AUTH *only* on 587

- use port 24 for weird-and-wonderful relaying, inbound/outbound pools,
etc. That's what it is for. 'any private mail service' IIRC.

- but *also* require encrypted protocol in your acl's so a fall-back to
unencrypted - which the protocol supports - is NOT acceptable to
authenticate with Exim.

And, of course, exempt any arrival 'AUTH'ed in that proper manner from
tests for rDNS fail, dynamic-IP or other RBL lookup, and strict HELO to
FQDN matching, 'coz most residential OR biz broadband will fail all of
the above.

Either:

condition = ${if eq{$interface_port}{25}}

to apply strict tests to remote MTA (or zombot) arrivals.

or a !condition to exempt your own users.

Keep your user-base OFF port 25, AND ALSO insist on encryption of the link:

!condition         = ${if eq{$interface_port}{587}}
accept  encrypted  = *


later on, also:

authenticated = *

As one cannot 'AUTH' in acl_smtp_connect. Too soon.

Not to forget, in the authenticator(s);

    server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}


Or something more cleanly written to that effect...

I code in BFBI, but it JFW in Exim.

;-)

Bill