Re: [exim] EXIM4 - Secure SMTP - Ubuntu 12.04 and CentOS 6.x…

Top Page
Delete this message
Reply to this message
Author: Michael J. Tubby B.Sc G8TIC
Date:  
To: DLSauers
CC: exim-users
Subject: Re: [exim] EXIM4 - Secure SMTP - Ubuntu 12.04 and CentOS 6.x AMD64
On 08/08/2013 19:52, DLSauers wrote:
> Looking to secure things up... and I want to ensure that all inbound
> email is secured.
>
> So is it possible to setup EXIM4 on Ubuntu 12.04 and CentOS 6.x to use
> SECURE SMTP *ONLY*!
>
> Thus all connections to the SMTP server would be encrypted... YES this
> probably means a 90%+ ELIMINATION in servers that can email the domains
> setup on such a server, oh well, so sad. You don't need to email me then!
>
> I want security, SECURITY ! SECURITY! Encrypted "meta data" connection
> thus snooping is slowed down unless certain alphabets want to brute force
> it and put those Crays in UT to work! POP3 ad IMAP with SSL/TLS is
> already implemented... Secure drives is being implemented, and physical
> control changes are being made too. Yes the servers are moving off US
> soil, and weak jurisdictions.
>
> If there is a way that a non secure connection can be told to "Sorry
> stupid server, you need to try it securely!" and/or send back a
> message... Sorry! This server requires a SSL/TLS connection to send
> email! Please configure your server thusly, and try again! Or don't
> bother!"
>
> Simply quit listening on Port 25? ? And only on 465 ????


SSMTP is doable, but deprecated in favour of STARTTLS on port 25.

> Lots of HOWTO: on enabling SSL/TLS, but it appears from these that NON
> SSL/TLS is still possible and that the initial connection may be
> UNSECURE! ! ! BZZT!!!!


You want something like this:

#
# welcome banner
#
smtp_banner = "$primary_hostname ESMTP Exim $version_number
#$compile_number $tod_full"

# enable SMTP and MSA
#daemon_smtp_ports = 25 : 587 : 465
daemon_smtp_ports = 25 : 587

#enable TLS
log_selector = +subject +tls_cipher+tls_peerdn
tls_advertise_hosts = *
# adjust below to suit your requirements
#tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL :
!eNULL : !3DES : @STRENGTH
tls_require_ciphers =
AES256+SHA256:AES+SHA:!SSLv2:RC4+MEDIUM:!eNULL:!aNULL:@STRENGTH
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
#tls_on_connect_ports = 465
MAIN_TLS_ENABLE = true

# advertise auth to TLS sessions only
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}






> Any one ? ?? HINTS? ?? HOWTO's? ? ?


Suggest you read:


http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html


Then you can use the $tls_cipher variable which is set to the name of
the cipher in use, or null on clear connections, as part of the HELO ACL
to simply return a message to the connected host that says something to
the effect of:

    554 You must say STARTTLS to use an encrypted session


in return to a HELO/EHLO on a clear session...

> EXIM 4 only, please... don't use other servers.
>
> Thanks in advance!
>
>


Mike