On 2017-10-14 at 22:34 +0800, Angelo Chen via Exim-users wrote:
> I'm trying to set up a gmail relay:
This is modified from my setup, with the bit which relays mail from
exim.org out through the exim.org server; so this isn't 100% known to
work, I might have made typos.
The file /etc/exim/auth/outbound-passwords would need to exist, have
appropriate permissions, and look something like:
------------------------8< outbound-passwords >8------------------------
xyz@???: user=xyz@??? password=12345678 clienttoken=my-short-persistent-id
zyx@???: user=dhr.zyx password=geheim port=29 tls=yes
------------------------8< outbound-passwords >8------------------------
The default cipherspec looks awful to people who don't understand SMTP
security and cargo-cult everything, but it's better than falling back to
plaintext and is reliant upon TLS correctly picking a good ciphersuite.
If the attribute 'tlshigh' is set then its value is used as a spec, or
if it's set to just 'yes' then the other macro is used.
Note that you should get an "App Specific Password" from Google
<
https://myaccount.google.com/apppasswords> and use that for the mail
configs, instead of hard-coding in your regular password. This will
also let you enable 2FA but still use SMTP mail.
-----------------------------8< cut here >8-----------------------------
# macros section
RUNAUTHDIR=/etc/exim/auth
TLS_CLIENT_DEFAULT_CIPHERSPEC=DEFAULT:!SSLv2:!LOW:aNULL:!eNULL
TLS_CLIENT_HIGHSEC_CIPHERSPEC=ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!RC4:!aNULL:!ADH:!DES:!EXP:!NULL
SSL_CERTS_DIR=/etc/ssl/certs
# routers
# nb: on main routers, avoid "same_domain_copy_routing" because it will
# interfere with sender-based routing
via_gmail:
driver = manualroute
senders = *@gmail.com
domains = ! +local_domains
route_data = smtp.gmail.com
transport = secure_smtp
address_data = ${lookup {$sender_address}lsearch{RUNAUTHDIR/outbound-passwords}} authreq=yes tls=yes tlshigh=yes port=587
# transports
secure_smtp:
driver = smtp
port = ${extract{port}{$address_data}{$value}{25}}
hosts_require_auth = ${extract{authreq}{$address_data}{${if eq{$value}{yes}{*}{$value}}}{}}
hosts_require_tls = ${extract{tls}{$address_data}{${if eq{$value}{yes}{*}{$value}}}{}}
tls_sni = ${extract{tlssni}{$address_data}{$value}{}}
tls_require_ciphers = ${extract{tlshigh}{$address_data}{${if eq{$value}{yes}{TLS_CLIENT_HIGHSEC_CIPHERSPEC}{$value}}}{TLS_CLIENT_DEFAULT_CIPHERSPEC}}
tls_verify_certificates = ${extract{tlsverify}{$address_data}{SSL_CERTS_DIR}fail}
dnssec_request_domains = *
hosts_try_dane = *
no_multi_domain
no_delay_after_cutoff
# authenticators
auth_plain:
driver = plaintext
public_name = PLAIN
client_condition = ${if def:tls_out_cipher}
client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}{$value}fail}
auth_plain_clienttoken:
driver = plaintext
public_name = PLAIN-CLIENTTOKEN
client_condition = ${if def:tls_out_cipher}
client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}{$value}fail}^${extract{clienttoken}{$address_data}{$value}fail}
-----------------------------8< cut here >8-----------------------------
This adds support for using PLAIN-CLIENTTOKEN for Gmail instead of
PLAIN; I've added it here based on a description posted by one of
Google's postmasters to another mailing-list recently. Untested by me,
but it should work. If not, just remove that authenticator. The id
should be something short and stable you pick but keep private, changing
it on each machine which uses this, to let Google's security systems
track moving devices and protest if the same token is being used on two
different continents at the same time, etc.
-Phil