Re: [exim] Cannot establish connection from client via tls

Góra strony
Delete this message
Reply to this message
Autor: James Brown
Data:  
Dla: Exim Users
Temat: Re: [exim] Cannot establish connection from client via tls
James Brown wrote:
> James Price wrote:
>
>> On 5/7/2010 5:15 PM, James Brown wrote:
>>
>>
>>> OS 8.0-STABLE FreeBSD , exim v. 4.71
>>> I am trying to customize my exim-server setting up on my vds.
>>> I have uncommented the next recordes in its configs:
>>> daemon_smtp_port = 25:465
>>> tls_certificate = CONFDIR/certificate.crt
>>> tls_privatekey = CONFDIR/certificate.key
>>> tls_on_connect_ports = 465
>>> and restarted my server.
>>> After that I have tried to send testing letters from my client on my
>>> local PC (Icedove 2.0.0.24 under Debian Lenny) but it wrote me that
>>> server was failed or refusing connections. (In the same time I could
>>> send email letters through the port n. 25 without tls/ssl).
>>> The log file of my server are attached.
>>> ls -l /usr/local/etc/server.key
>>> -r-------- 2 root wheel 887 Jan 1 1970 /usr/local/etc/server.key
>>> ls -l /usr/local/sbin/exim
>>> lrwxrwxrwx 1 root wheel 11 Apr 29 10:04 /usr/local/sbin/exim ->
>>> exim-4.71-0
>>> ls -l /usr/local/sbin/exim-4.71-0
>>> -rwsr-xr-x 2 root wheel 934792 Jan 1 1970 /usr/local/sbin/exim-4.71-0
>>> Does the exim daemon cannot have access to key-file?
>>>
>>>
>>>
>>>
>> From the looks of this, it appears whatever user you're running exim
>> under does not have permission to open the key file, of course unless
>> you're running exim as root which certainly should have permissions
>> based on what you supplied. I would change the owner of the key and
>> cert file to the same user you're running exim under restart the daemon
>> and you should be good.
>>
>> Thanks,
>> James
>>
>>
>>
> Very thanks.
> My exim works under user /mailnull :
> ps aux | grep exim
> mailnull 89386 0.0 0.0 21120 3708 ?? IsJ 1:17AM 0:00.02
> /usr/local/sbin/exim -bd -q30m (exim-4.71-0)
>
> /And key-file belong to root. But as it was specified earlier
> //usr/local/sbin/exim /had a setuid bit.
> Why exim cannot read that file in spite of that?
> Of course, I can change user of that file, but is it safely to user
> mailnull as an oowner of that key-file?
> Futhermore, that used not only exim but dovecot too that works under
> users root and dovecot:
> ps aux | grep dovecot
> root 9987 0.0 0.0 6972 1528 ?? SsJ 9:06AM 0:02.81
> /usr/local/sbin/dovecot -c /usr/local/etc/dovecot.conf
> root 10010 0.0 0.0 9024 2280 ?? SJ 9:06AM 0:01.57 dovecot-auth
> dovecot 10121 0.0 0.0 10836 2580 ?? IJ 9:06AM 0:00.01 imap-login
> dovecot 73120 0.0 0.0 10840 2704 ?? IJ 8:35AM 0:00.00 pop3-login
> dovecot 73121 0.0 0.0 10840 2704 ?? IJ 8:35AM 0:00.00 pop3-login
> Is it possible to it read that file foo?
> Or it will be simpler to me copy key-file in config-direcotry of exim
> changing user in the same time and use it for exim separatly?
>
> Yours,
>
> James
>
>

Hi, James,
I have tried resolve my problem with accordance of your advice and for
it I was done the next:
1. I have copied key- and cert-files from etc to etc/exim, changed their
chmod (+w), chown them and chmod (-w) again.
2. I have restarted my exim-daemon.
After that I have no error-messages in a log-file such TLS error on
connection from tor-exit.aof.su [216.224.124.124]
(SSL_CTX_use_PrivateKey_file file=/usr/local/etc/server.key):
error:0200100D:system library:fopen:Permission denied but in spite of
that I cannot send my outgoing messages from clien to server too.
I have the next error-messages in /var/log/exim/mainlog:
no host name found for IP address 180.149.95.174
/TLS error on connection from [180.149.95.174] (SSL_accept):
error:00000000:lib(0):func(0):reason(0)
no host name found for IP address 180.149.95.174
TLS error on connection from [180.149.95.174] (SSL_accept):
error:00000000:lib(0):func(0):reason(0)
/and have no any log-recored in /rejectlog/.
What does it mean? Is that required that my client (home PC) must have a
dns-address? It seems to me strange.
I have the next record in my config for preventing spam:
/hostlist relay_from_hosts = 127.0.0.1/ but it concern only
relay-function of exim but not its functions to local mailboxes, am I right?
A config-file of my exim is attached.

Yours,

James
POSTGREY_SOCKET = inet:127.0.0.1:10023
FREEBSD = yes
SPAMCBIN=__ISP_SPAMCBIN__
EXIMBIN=/usr/local/sbin/exim
log_selector =  \
        +all_parents \
        +lost_incoming_connection \
        +received_sender \
        +received_recipients \
        +tls_cipher +tls_peerdn \
        +smtp_confirmation \
        +smtp_syntax_error \
        +smtp_protocol_error


#CONFDIR=__ISP_CONFDIR__
daemon_smtp_port = 25:465
tls_certificate = /usr/local/etc/exim/server.crt
tls_privatekey = /usr/local/etc/exim/server.key
tls_on_connect_ports = 465

.ifdef MAILMAN_ENABLE
MAILMAN_HOME=__MAILMAN_HOME__
MAILMAN_WRAP=__MAILMAN_WRAP__
MAILMAN_USER=__MAILMAN_USER__
MAILMAN_GROUP=__MAILMAN_GROUP__
.endif

trusted_groups = mgrsecure
trusted_users = www

domainlist local_domains = lsearch;/usr/local/etc/exim/domains
domainlist dummy_domains =
hostlist relay_from_hosts = 127.0.0.1

domainlist relay_to_domains = lsearch;/usr/local/etc/exim/domains
exim_user = mailnull
exim_group = mail

never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

begin acl
    acl_check_rcpt:
        accept    hosts = net-lsearch;/usr/local/etc/exim/whitelist

        
        deny    hosts = net-lsearch;/usr/local/etc/exim/blacklist
                message = $host_data                        


        deny    message       = Restricted characters in address
                domains       = +local_domains
                local_parts   = ^[.] : ^.*[@%!/|]


        deny    message       = Restricted characters in address
                domains       = !+local_domains
                local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


        accept  local_parts   = postmaster
                verify        = recipient
                domains       = +local_domains


        require verify        = sender


        accept  hosts         = +relay_from_hosts
                control       = submission


        accept  authenticated = *
                condition     = ${if eq{${extract{5}{:}{${lookup{$authenticated_id}lsearch{/usr/local/etc/exim/passwd}}}}}{no} {yes}{no}}
                condition     = ${if eq{${extract{3}{:}{${lookup{${domain:$authenticated_id}}lsearch{/usr/local/etc/exim/domains}}}}}{no} {yes}{no}}
                control       = submission/domain=


        deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\\n$dnslist_text
                dnslists      = ${readfile {/usr/local/etc/exim/dnsblists}{:}} 


        require message       = relay not permitted
                domains       = +local_domains : +relay_to_domains


        require verify        = recipient


.ifdef POSTGREY_SOCKET
        defer log_message = greylisted host $sender_host_address
            set acl_m0  = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
            set acl_m0  = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
            message     = ${sg{$acl_m0}{^\\w+\\s*}{}}
            condition   = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
.endif


        accept


    acl_check_data:
        accept


begin routers
    dnslookup:
        driver = dnslookup
        domains = !+dummy_domains
        transport = remote_smtp
        ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
        self = pass
        no_more


    disabled_domains:
        driver = redirect
        condition = ${extract{3}{:}{${lookup{$domain}lsearch{/usr/local/etc/exim/domains}}}}
        allow_fail = yes
        data = :fail: Domain disabled
        no_more


    disabled_users:
        driver = redirect
        condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}
        allow_fail = yes
        data = :fail: User disabled
        no_more


    local_domains:
        driver = redirect
        data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/usr/local/etc/exim/domains}}}}
        cannot_route_message = Unknown user
        no_more


.ifdef SA_ENABLE
    spamcheck_router:
        no_verify
        condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}}} {1}{0}}"
        driver = accept
        transport = spamcheck
.endif


    group_aliases:
        driver = redirect
        data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/aliases}}}}
        condition = ${if and{\
                        {exists{/usr/local/etc/exim/aliases}}\
                        {eq {${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/aliases}}}}} {group} }\
                    } {yes} {no} }
        redirect_router = a_dnslookup


    aliases:
        driver = redirect
        data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/aliases}}}}
        condition = ${if exists{/usr/local/etc/exim/aliases} {yes} {no} }


    aliases_pipe:
                driver = redirect
        pipe_transport = address_pipe
        data = ${lookup {$local_part@$domain} lsearch{/usr/local/etc/exim/pipe-aliases}}
                condition =${lookup {$local_part@$domain} lsearch{/usr/local/etc/exim/pipe-aliases} {yes} {no} }

                                

    local_users:
        driver = redirect
        condition = ${lookup {$local_part@$domain} lsearch {/usr/local/etc/exim/passwd} {yes} {no} }
        data = $local_part@$domain
        redirect_router = autoreplay


.ifdef MAILMAN_ENABLE
    mailman:
        driver = accept
        require_files = MAILMAN_HOME/lists/$local_part/config.pck
        local_part_suffix_optional
        local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
        transport = mailman


    mailman_isp:
        driver = accept
        require_files = MAILMAN_HOME/lists/$local_part-$domain/config.pck
        local_part_suffix_optional
        local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
        transport = mailman_isp
.endif


    catchall_for_domains:
        driver = redirect
        headers_add = X-redirected: yes
        data = ${extract{2}{:}{${lookup{$domain}lsearch{/usr/local/etc/exim/domains}}}}
        file_transport = local_delivery


    unknown_users:
        driver = redirect
        allow_fail = yes
        data = :fail: Unknown user
        no_more


    autoreplay:
        driver = accept
        condition = ${if exists{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}/message.txt} {yes} {no}}
        retry_use_local_part
        transport = address_reply
        unseen


    localuser:
        driver = accept
        transport = local_delivery


# Same routers without autoreplay

    a_dnslookup:
        driver = dnslookup
        domains = !+dummy_domains
        transport = remote_smtp
        ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
        self = pass
        no_more


    a_disabled_domains:
        driver = redirect
        condition = ${extract{3}{:}{${lookup{$domain}lsearch{/usr/local/etc/exim/domains}}}}
        allow_fail = yes
        data = :fail: Domain disabled
        no_more


    a_disabled_users:
        driver = redirect
        condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}
        allow_fail = yes
        data = :fail: User disabled
        no_more


    a_local_domains:
        driver = redirect
        data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/usr/local/etc/exim/domains}}}}
        cannot_route_message = Unknown user
        redirect_router = a_dnslookup
        no_more


    a_aliases:
        driver = redirect
        data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/aliases}}}}
        condition = ${if exists{/usr/local/etc/exim/aliases} {yes} {no} }
        redirect_router = a_dnslookup


    a_aliases_pipe:
        driver = accept
        transport = aliases_pipe
        condition = ${lookup {$local_part@$domain} lsearch {/usr/local/etc/exim/pipe-aliases} {yes} {no} }


    a_local_users:
        driver = accept
        transport = local_delivery
        condition = ${lookup {$local_part@$domain} lsearch {/usr/local/etc/exim/passwd} {yes} {no} }


.ifdef MAILMAN_ENABLE
    a_mailman:
        driver = accept
        require_files = MAILMAN_HOME/lists/$local_part/config.pck
        local_part_suffix_optional
        local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
        transport = mailman


    a_mailman_isp:
        driver = accept
        require_files = MAILMAN_HOME/lists/$local_part-$domain/config.pck
        local_part_suffix_optional
        local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
        transport = mailman_isp
.endif


    a_catchall_for_domains:
        driver = redirect
        headers_add = X-redirected: yes
        data = ${extract{2}{:}{${lookup{$domain}lsearch{/usr/local/etc/exim/domains}}}}
        file_transport = local_delivery
        redirect_router = a_dnslookup


begin transports
    remote_smtp:
        driver = smtp


    local_delivery:
        driver = appendfile
        file = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}/mbox
        delivery_date_add
        envelope_to_add
        return_path_add
        mode = 0660
        quota = ${extract{3}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}M
        quota_warn_threshold = 75%
        use_lockfile = no
        no_mode_fail_narrower
        user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}
        group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}

                        
    address_pipe:
        driver = pipe
        return_output

                            
    aliases_pipe:
        driver = pipe
        command = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/pipe-aliases}}}}
        use_shell

                                    
    address_reply:
        driver = autoreply
        headers = ${readfile{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/usr/local/etc/exim/passwd}}}}/message.txt}}
        to = $sender_address


.ifdef MAILMAN_ENABLE
    mailman_isp: 
        driver = pipe
        command = MAILMAN_WRAP '${if def:local_part_suffix {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} {post}}' $local_part-$domain
        current_directory = MAILMAN_HOME
        home_directory = MAILMAN_HOME
        user = MAILMAN_USER
        group = MAILMAN_GROUP


    mailman:
        driver = pipe
        command = MAILMAN_WRAP '${if def:local_part_suffix {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} {post}}' $local_part
        current_directory = MAILMAN_HOME
        home_directory = MAILMAN_HOME
        user = MAILMAN_USER
        group = MAILMAN_GROUP
.endif


.ifdef SA_ENABLE
    spamcheck:
        debug_print = "T: spamassassin_pipe for $local_part@$domain"
        driver = pipe
        command = EXIMBIN -oMr spam-scanned -bS
        use_bsmtp
        transport_filter = SPAMCBIN
        home_directory = "/tmp"
        current_directory = "/tmp"
        user = mailnull
        group = mail
        return_fail_output
        message_prefix =
        message_suffix =
.endif



begin retry
*        *        F,2h,15m; G,16h,1h,1.5; F,4d,6h


begin rewrite
.ifdef MAILMAN_ENABLE
    \N^(.*<)?([^<]*)@([^>]*).*$\N   "${if exists{MAILMAN_HOME/lists/${sg{$2}{-$3.*}{-$3}}/config.pck} {${sg{$0} {-$3} {}}} {$0} }" S
    \N^(.*<)?([^<]*)@([^>]*).*$\N   "${if exists{MAILMAN_HOME/lists/${sg{$2}{-$3.*}{-$3}}/config.pck} {${sg{$0} {-$3} {}}} {$0} }"
.endif


begin authenticators


cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${extract {6} {:} {${lookup{$1}lsearch{/usr/local/etc/exim/passwd}}}}
server_set_id = $1


plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if and{{!eq{$3}{}} {eq {$3} {${extract {6} {:} {${lookup{$2}lsearch{/usr/local/etc/exim/passwd}}}}}}} {yes} {no} }
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if and{{!eq{$2}{}} {eq {$2} {${extract {6} {:} {${lookup{$1}lsearch{/usr/local/etc/exim/passwd}}}}}}} {yes} {no} }
server_set_id = $1