Re: [exim] setting up exim4 to send mail through r4l.com

Top Page
Delete this message
Reply to this message
Author: Gary Dale
Date:  
To: exim-users
Subject: Re: [exim] setting up exim4 to send mail through r4l.com
On 2019-01-06 2:51 p.m., Jeremy Harris wrote:
> On 06/01/2019 19:34, Gary Dale via Exim-users wrote:
>> You've missed the point. My e-mail smarthost uses 587 for unencrypted
>> connections but 465 for encrypted. Using Thunderbird with ssl/tls on
>> port 465 works. It's the Exim4 (encrypted) configuration I need help
>> with.
> Oh, right. You're using Exim as a client here. So it's the transport
> configuration that matters:
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146
>
> For the relevant transport in your config you'll need to
> set the "protocol" option to "smtps" to get TLS-on-connect.
> Quite where that is in you Debian-derived config I can't tell you.
> I'd not be at all surprised if the Debian configurator front-end
> knows about the possibility.


Yes. I forgot to mention that I've done that too. I added it to
exim4.conf.template then re-ran the configure and restarted the service.
Still no joy.


I also have just tried entering

    openssl s_client -starttls smtp -crlf -connect localhost:25

which I got from
https://serverfault.com/questions/308385/exim-tls-and-secure-smtp. I can
get the expected connection to port 25 but not port 465. When I try
using 465, I get the opening

    CONNECTED(00000003)

then the connection hangs.

When connected to port 25, I get the same message the OP does in his
working example about a self-signed certificate. I'm assuming that is
not the cause of my problems.

Trying another article I found, I entered:

    swaks -a -tls -q HELO -s <sub>.r4l.com:465 -au test -ap '<>'

where <sub> is replaced by the actual subdomain/server named assigned by
r4l. I get

    === Trying <sub>.r4l.com:465...
    === Connected to <sub>.r4l.com.
    <** Timeout (30 secs) waiting for server response
     -> QUIT
    <** Timeout (30 secs) waiting for server response
    === Connection closed with remote host.

With port 25, I never get the connection. With port 587 I get the
connection but it disconnects immediately:

 swaks -a -tls -q HELO -s <sub>.r4l.com:587 -au test -ap '<>'
=== Trying <sub>.r4l.com:587...
=== Connected to <sub>.r4l.com.
<-  220-<sub>.r4l.com ESMTP Exim 4.91 #1 Sun, 06 Jan 2019 17:25:47 -0500
<-  220-We do not authorize the use of this system to transport
unsolicited,
<-  220 and/or bulk e-mail.
 -> EHLO transponder.rahim-dale
<-  250-<sub>.r4l.com Hello <my router> [<my router's IP>]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-AUTH PLAIN LOGIN
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=*.r4l.com"
 ~> EHLO transponder.rahim-dale
<~  250-<sub>.r4l.com Hello <my router> [<my router's IP>]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-AUTH PLAIN LOGIN
<~  250 HELP
 ~> QUIT
<~  221 <sub>.r4l.com closing connection
=== Connection closed with remote host.

Going back to the openssl command, I tried connecting to the remote
server with the same results (465 connects but hangs, 25 doesn't even
connect and 587 connects. Unfortunately 587 still doesn't get me very far:

 openssl s_client -starttls smtp -crlf -connect <sub>.r4l.com:587
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.r4l.com
verify return:1
---
Certificate chain
 0 s:CN = *.r4l.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----

<snip>

-----END CERTIFICATE-----
subject=CN = *.r4l.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3433 bytes and written 463 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
A33DD10363ACFD8A2D977FF3DE763AA6F83045589B6DBFCB2036EBA93F5F3B4A
    Session-ID-ctx:
    Master-Key:
22DD76F58F478197E503F2F40A873206F8790404B251A059C9A9E5F3A43E319284BF55A3EE5105954ADA395E9D30C8D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1546812480
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 HELP
helo
250 <sub>.r4l.com Hello <my router?> [<my router's IP>]
auth login
503 AUTH command used when not advertised

with similar errors for any other command I try.

I can understand 587 not working. It's not supposed to be used for
encrypted connections with this server. However I am not getting
anywhere with port 465.

Any ideas?