Re: [exim] Problem with TLS connection

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Problem with TLS connection
Hill Ruyter <hill@???> (Thu May 19 12:44:47 2011):
> Hello again
>
> Whenever I make a change to the config I do the following, I had assumed it
> was the correct processŠ
>
> update-exim4.conf


… not sure. I'm not using the Debian/Ubuntu configuration scheme.
But, as written in some previous mail

    exim4 -bV


tells you the file path of the configuration file used (about the very
last line of the output).

And

    exim -bP


tells you all the global configuration settings.

    exim -bP tls_on_connect_ports


just the setting of this one specific global config option.


> Invoke-rc.d exim4 stop
> Invoke-rc.d exim4 start


That's correct. Mostly an "invoke-rc.d exim4 reload" should do. If not,
"invoke-rc.d exim4 restart" should do. If not, than your way is fine
too.

> If this is wrong then please do let me know but I was sure it was enough to
> initiate any changes to the configuration template.
>
>
> In reference to the comments by Ian
>
> I am really confused by the proper use of ports. I was using 465 for my SSL
> connections until someone told me that was not the correct port to use for
> SMTP over SSL/TLS and that I should be using 587 so I changed my config,
> firewalls etc because I have a wish to do things properly.


465 is often assumed to be the proper port for mail submission using
SSL. AFAIK there this port registered in 1997 and revoked in 1998.

On port 465 it is expected to have an SSL tunnel before starting any
SMTP communication.

    TCP-Handshake -> SSL-Handshake -> SMTP-Handshake


Using 3rdparty software any MUA and any MTA could be enabled using
secure connections that way.

Since about 1998 (according to de.wikipedia.org) STLS (STARTTLS) was
specified. Here both client and server first establish an SMTP
connection, and than, on layer 7 they may agree on using of SSL.


    TCP-Handshake -> SMTP-Handshake -> STLS (SSL-Handshake) -> again SMTP-Handshake


This STLS method *should* be used whenever you've to authenticate to
your mail server using some plaintext method. It *may* be used for any
mail transfer, even on port 25, if supported by both parties.

If you want or need to support port 465 depends on the demands of your
clients. I'd say, all (even MS Outlook) is able to use an arbitrary port
and to send the STLS command.) And it depends on the mail server
software. If the mail server can't differentiate between authentication
over encrypted connections vs. authentication over unencrypted
connections, AND you want to force your users to use encryption, port
465 may be an option. [Using Exim you can reject any authentication that
hits you w/o using a tunnel. You even can offer authentication only if
there is an secure connection established already.]

(In some clients the ssl-on-connect method is referred as SSL and the
STLS-method is named TLS. Confusing…)


--
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B