Re: [exim] Enable TLS with basic Exim4 config

Top Page
Delete this message
Reply to this message
Author: John Smith
Date:  
To: exim-users
Subject: Re: [exim] Enable TLS with basic Exim4 config
Hello Heiko,

When I used exim-gencert, I set the FQDN name of the Exim server in the
field "Server name (eg. ssl.domain.tld; required!!!) [])". So here I
think it's good.

With the default Thunderbird detection, I get : SMTP with port 25 and
no TLS... If I confirm this for the account, then as you said, there is
a certificate warning :/
So it comes because it's a self signed certificate ? No way to generate
a true certificate for LAN network ? That's why I asked about
LetsEncrypt in my previous mail.

Ok, I will dig this morning with tcpdump.

Thanks.

Regards,

John
Envoy?: mercredi 14 juin 2017 ? 01:43
De: "Heiko Schlittermann via Exim-users" <exim-users@???>
?: exim-users@???
Objet: Re: [exim] Enable TLS with basic Exim4 config
John Smith <j0hnsm1th@???> (Mi 14 Jun 2017 01:08:15 CEST):
> Hello,
>
> After some questions about the config files with a Debian system, I
> continued playing with Exim and the TLS!
> I think it's on the good way because now I get "STARTTLS" from telnet
> and get some certificates answer... But client like Thunderbird can't
> connect using TLS... :(
>
> So now... I'm here and when I launch swaks to test the TLS (swaks -a
> -tls -q HELO -s localhost -au user -ap '<>'), I got :
>
> === Trying localhost:25...
> === Connected to localhost.
...
> ~> QUIT
> <~ 221 mail closing connection
> === Connection closed with remote host.
Looks good.
> Here, I saw that AUTH "PLAIN" and "LOGIN" seems to be availabe after
> getting the TLS started.
Yes. Intentionally.
> Then, asking the server about certificates using openssl command
> (openssl s_client -connect mail.domain.lan:465) showed :
>
> - One certificate returned with the "error" (warning ?) : verify
> error:num=18:self signed certificate
...
> No client certificate CA names sent
> ---
...
>
> So... Did I have to fix the error "No client certificate CA names
sent"
> ? Maybe by using a sign process with LetsEncrypt or something else ?
No, the client isn't obligated to send a certificate.
But TB may be uncomfortable with your self signed certificate.
Mail clients typically want to see a certificate with a matching
CN or SAN (matching the host's name they connect to).
You can debug it using tcpdump, to see if TB at least tries to use
TLS
Best regards from Dresden/Germany
Viele Gr??e aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
--
## List details at
[1]https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at [2]http://www.exim.org/
## Please use the Wiki with this list - [3]http://wiki.exim.org/

References

1. https://lists.exim.org/mailman/listinfo/exim-users
2. http://www.exim.org/
3. http://wiki.exim.org/