[exim] Enable TLS with basic Exim4 config

Pàgina inicial
Delete this message
Reply to this message
Autor: John Smith
Data:  
A: exim-users
Assumpte: [exim] Enable TLS with basic Exim4 config
Hello,

After some questions about the config files with a Debian system, I
continued playing with Exim and the TLS!
I think it's on the good way because now I get "STARTTLS" from telnet
and get some certificates answer... But client like Thunderbird can't
connect using TLS... :(

So now... I'm here and when I launch swaks to test the TLS (swaks -a
-tls -q HELO -s localhost -au user -ap '<>'), I got :

   === Trying localhost:25...
   === Connected to localhost.
   <-  220 mail ESMTP Exim 4.84_2 Wed, 14 Jun 2017 00:22:51 +0200
    -> EHLO mail
   <-  250-mail Hello localhost [::1]
   <-  250-SIZE 52428800
   <-  250-8BITMIME
   <-  250-PIPELINING
   <-  250-STARTTLS
   <-  250 HELP
    -> STARTTLS
   <-  220 TLS go ahead
   === TLS started with cipher TLSv1.2:xxxxxxxxxxxxx
   === TLS no local certificate set
   === TLS peer
   DN="/C=/ST=/L=/O=/OU=/CN=mail.domain.lan/emailAddress=user@???"
    ~> EHLO mail
   <~  250-mail Hello localhost [::1]
   <~  250-SIZE 52428800
   <~  250-8BITMIME
   <~  250-PIPELINING
   <~  250-AUTH PLAIN LOGIN
   <~  250 HELP
    ~> QUIT
   <~  221 mail closing connection
   === Connection closed with remote host.


Here, I saw that AUTH "PLAIN" and "LOGIN" seems to be availabe after
getting the TLS started.

Then, asking the server about certificates using openssl command
(openssl s_client -connect mail.domain.lan:465) showed :

- One certificate returned with the "error" (warning ?) : verify
error:num=18:self signed certificate

   - Then the complete certificate :
       -----BEGIN CERTIFICATE-----
       ........
       -----END CERTIFICATE-----


   - And after :
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 1501 bytes and written 483 bytes
   ---
   New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxx
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
       Protocol  : TLSv1.2
       Cipher    : xxxxxxxxxxx
       Session-ID: xxxxxxxxxxxxxxxxxxxxxxx
       Session-ID-ctx:
       Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxx
       Key-Arg   : None
       PSK identity: None
       PSK identity hint: None
       SRP username: None
       Start Time: 1497393946
       Timeout   : 300 (sec)
       Verify return code: 18 (self signed certificate)
   ---
   220 mail ESMTP Exim 4.84_2 Wed, 14 Jun 2017 00:45:46 +0200


So... Did I have to fix the error "No client certificate CA names sent"
? Maybe by using a sign process with LetsEncrypt or something else ?

For Exim config, I followed instructions from many tutorials found on
the web :
MAIN_LOG_SELECTOR = +all
MAIN_TLS_ENABLE = yes
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465

   And uncommented these two AUTH methods (the two showed before in the
   "250-AUTH PLAIN LOGIN" with swaks):
   # Authenticate against local passwords using sasl2-bin
   # Requires exim_uid to be a member of sasl group, see README.Debian.gz
    plain_saslauthd_server:
      driver = plaintext
      public_name = PLAIN
      server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
      server_set_id = $auth2
      server_prompts = :
      .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
      server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
      .endif
    login_saslauthd_server:
      driver = plaintext
      public_name = LOGIN
      server_prompts = "Username:: : Password::"
   #   # don't send system passwords over unencrypted connections
      server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
      server_set_id = $auth1
      .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
      server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
      .endif
   I tried this config on the server and on a VM : same result, TLS seems
   enabled but Thunderbird don't recognize the encryption :(


Any suggestion, idea to debug TLS or little help would be very welcome.

Thanks.

Regards,

John