Hello,
After some questions about the config files with a Debian system, I
continued playing with Exim and the TLS!
I think it's on the good way because now I get "STARTTLS" from telnet
and get some certificates answer... But client like Thunderbird can't
connect using TLS... :(
So now... I'm here and when I launch swaks to test the TLS (swaks -a
-tls -q HELO -s localhost -au user -ap '<>'), I got :
=== Trying localhost:25...
=== Connected to localhost.
<- 220 mail ESMTP Exim 4.84_2 Wed, 14 Jun 2017 00:22:51 +0200
-> EHLO mail
<- 250-mail Hello localhost [::1]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher TLSv1.2:xxxxxxxxxxxxx
=== TLS no local certificate set
=== TLS peer
DN="/C=/ST=/L=/O=/OU=/CN=mail.domain.lan/emailAddress=user@???"
~> EHLO mail
<~ 250-mail Hello localhost [::1]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
<~ 250 HELP
~> QUIT
<~ 221 mail closing connection
=== Connection closed with remote host.
Here, I saw that AUTH "PLAIN" and "LOGIN" seems to be availabe after
getting the TLS started.
Then, asking the server about certificates using openssl command
(openssl s_client -connect mail.domain.lan:465) showed :
- One certificate returned with the "error" (warning ?) : verify
error:num=18:self signed certificate
- Then the complete certificate :
-----BEGIN CERTIFICATE-----
........
-----END CERTIFICATE-----
- And after :
---
No client certificate CA names sent
---
SSL handshake has read 1501 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxx
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : xxxxxxxxxxx
Session-ID: xxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxx
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1497393946
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 mail ESMTP Exim 4.84_2 Wed, 14 Jun 2017 00:45:46 +0200
So... Did I have to fix the error "No client certificate CA names sent"
? Maybe by using a sign process with LetsEncrypt or something else ?
For Exim config, I followed instructions from many tutorials found on
the web :
MAIN_LOG_SELECTOR = +all
MAIN_TLS_ENABLE = yes
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
And uncommented these two AUTH methods (the two showed before in the
"250-AUTH PLAIN LOGIN" with swaks):
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# # don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
I tried this config on the server and on a VM : same result, TLS seems
enabled but Thunderbird don't recognize the encryption :(
Any suggestion, idea to debug TLS or little help would be very welcome.
Thanks.
Regards,
John
