[exim] Exim 4.87 reports no server certificate but appears t…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Mike Tubby
Datum:  
To: exim users
Betreff: [exim] Exim 4.87 reports no server certificate but appears to work?
Anyone else seeing this with Exim 4.87?

     Warning: No server certificate defined; TLS connections will fail.


during "make install" and in panic log, while having a self-signed
certificate defined (same config as Exim-4.86) and yet TLS appears to work?


During "make install":

>>> exim binary built

make[1]: Leaving directory `/home/mike/exim-4.87/build-Linux-i386'
Installation directory is /usr/local/bin

2016-04-07 00:16:35 Warning: No server certificate defined; TLS
connections will fail.
Suggested action: either install a certificate or change
tls_advertise_hosts option
cp exim /usr/local/bin/exim-4.87-3
/bin/chown root /usr/local/bin/exim-4.87-3
...


During start-up:

root@relay1:~/exim-4.87# service exim start
* Starting Exim MTA [ OK ]
Warning: Exim paniclog has non-zero size, mail system possibly broken
root@relay1:~/exim-4.87# cat /var/log/exim/paniclog
2016-04-07 00:16:35 Warning: No server certificate defined; TLS
connections will fail.
Suggested action: either install a certificate or change
tls_advertise_hosts option
root@relay1:~/exim-4.87#


Excerpt from my /etc/exim/exim.conf:

#
# Enable TLS with strong ciphers
#
MAIN_TLS_ENABLE = true

openssl_options = -all +no_sslv2 +no_sslv3 +no_compression
+cipher_server_preference

tls_certificate = /etc/exim/exim.crt
tls_privatekey = /etc/exim/exim.key
tls_dhparam = /etc/exim/exim.dhparam
tls_advertise_hosts = *

# Preference: all the EC and GCM first then degrade gracefully
tls_require_ciphers =
kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS

# advertise auth to TLS sessions only
auth_advertise_hosts = ${if eq {$tls_in_cipher}{}{}{*}}


The config points to a self-signed RSA-2048 bit key and cert that work
under Exim-4.86




During run-time mainlog entries showing TLS:

2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 issued STARTTLS
2016-04-07 00:08:31 CRYPTO: Client 209.216.229.3:53954 using SSL/TLS
cipher: TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256

generated by part of my config:

###
### acl_start_tls: This access control list reports client used STARTTLS
###

acl_start_tls:
         accept  logwrite = CRYPTO: Client 
$sender_host_address:$sender_host_port issued STARTTLS



###
### acl_check_helo: check the HELO/EHLO
###

acl_check_helo:

         #
         # report TLS status
         #
         warn    condition = ${if def:tls_in_cipher {1}{0}}
                 logwrite = CRYPTO: Client 
$sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher








My build info:

root@relay1:~/exim-4.87# exim -bt -d+all
00:17:32 20465 Exim version 4.87 uid=0 gid=0 pid=20465 D=fffdffff
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 Perl OpenSSL move_frozen_messages 
Content_Scanning DKIM DNSSEC Event OCSP PRDR Experimental_SPF 
Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz 
dbmnz dnsdb mysql passwd
Authenticators: plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mbx autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.8.4]
Library version: OpenSSL: Compile: OpenSSL 1.0.1f 6 Jan 2014
                           Runtime: OpenSSL 1.0.1f 6 Jan 2014
                                  : built on: Mon Feb 29 18:09:55 UTC 2016
Library version: PCRE: Compile: 8.31
                        Runtime: 8.31 2012-07-06
00:17:32 20465 Total 11 lookups
Library version: MySQL: Compile: 5.5.47 [(Ubuntu)]
                         Runtime: 5.5.47
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
00:17:32 20465 changed uid/gid: forcing real = effective
00:17:32 20465   uid=0 gid=0 pid=20465
00:17:32 20465   auxiliary group list: <none>
00:17:32 20465 seeking password data for user "root": cache not available
00:17:32 20465 getpwnam() succeeded uid=0 gid=0
00:17:32 20466 changed uid/gid: calling tls_validate_require_cipher
00:17:32 20466   uid=169 gid=169 pid=20466
00:17:32 20466   auxiliary group list: <none>
00:17:32 20466 tls_require_ciphers expands to 
"kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS"
00:17:32 20465 tls_validate_require_cipher child 20466 ended: status=0x0
00:17:32 20465 openssl option, removing from 1100000: 80000bff (all 
+no_sslv2 +no_sslv3 +no_compression +cipher_server_preference)
00:17:32 20465 openssl option, adding from 1100000: 1000000 (no_sslv2 
+no_sslv3 +no_compression +cipher_server_preference)
00:17:32 20465 openssl option, adding from 1100000: 2000000 (no_sslv3 
+no_compression +cipher_server_preference)
00:17:32 20465 openssl option, adding from 3100000: 20000 
(no_compression +cipher_server_preference)
00:17:32 20465 openssl option, adding from 3120000: 400000 
(cipher_server_preference)
00:17:32 20465 configuration file is /etc/exim/exim.conf
00:17:32 20465 log selectors = 00000ffc 107b2001



Mike