On 2019-01-06 2:51 p.m., Jeremy Harris wrote:
> On 06/01/2019 19:34, Gary Dale via Exim-users wrote:
>> You've missed the point. My e-mail smarthost uses 587 for unencrypted
>> connections but 465 for encrypted. Using Thunderbird with ssl/tls on
>> port 465 works. It's the Exim4 (encrypted) configuration I need help
>> with.
> Oh, right. You're using Exim as a client here. So it's the transport
> configuration that matters:
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146
>
> For the relevant transport in your config you'll need to
> set the "protocol" option to "smtps" to get TLS-on-connect.
> Quite where that is in you Debian-derived config I can't tell you.
> I'd not be at all surprised if the Debian configurator front-end
> knows about the possibility.
Yes. I forgot to mention that I've done that too. I added it to
exim4.conf.template then re-ran the configure and restarted the service.
Still no joy.
I also have just tried entering
openssl s_client -starttls smtp -crlf -connect localhost:25
which I got from
https://serverfault.com/questions/308385/exim-tls-and-secure-smtp. I can
get the expected connection to port 25 but not port 465. When I try
using 465, I get the opening
CONNECTED(00000003)
then the connection hangs.
When connected to port 25, I get the same message the OP does in his
working example about a self-signed certificate. I'm assuming that is
not the cause of my problems.
Trying another article I found, I entered:
swaks -a -tls -q HELO -s <sub>.r4l.com:465 -au test -ap '<>'
where <sub> is replaced by the actual subdomain/server named assigned by
r4l. I get
=== Trying <sub>.r4l.com:465...
=== Connected to <sub>.r4l.com.
<** Timeout (30 secs) waiting for server response
-> QUIT
<** Timeout (30 secs) waiting for server response
=== Connection closed with remote host.
With port 25, I never get the connection. With port 587 I get the
connection but it disconnects immediately:
swaks -a -tls -q HELO -s <sub>.r4l.com:587 -au test -ap '<>'
=== Trying <sub>.r4l.com:587...
=== Connected to <sub>.r4l.com.
<- 220-<sub>.r4l.com ESMTP Exim 4.91 #1 Sun, 06 Jan 2019 17:25:47 -0500
<- 220-We do not authorize the use of this system to transport
unsolicited,
<- 220 and/or bulk e-mail.
-> EHLO transponder.rahim-dale
<- 250-<sub>.r4l.com Hello <my router> [<my router's IP>]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-AUTH PLAIN LOGIN
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=*.r4l.com"
~> EHLO transponder.rahim-dale
<~ 250-<sub>.r4l.com Hello <my router> [<my router's IP>]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH PLAIN LOGIN
<~ 250 HELP
~> QUIT
<~ 221 <sub>.r4l.com closing connection
=== Connection closed with remote host.
Going back to the openssl command, I tried connecting to the remote
server with the same results (465 connects but hangs, 25 doesn't even
connect and 587 connects. Unfortunately 587 still doesn't get me very far:
openssl s_client -starttls smtp -crlf -connect <sub>.r4l.com:587
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.r4l.com
verify return:1
---
Certificate chain
0 s:CN = *.r4l.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=CN = *.r4l.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3433 bytes and written 463 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
A33DD10363ACFD8A2D977FF3DE763AA6F83045589B6DBFCB2036EBA93F5F3B4A
Session-ID-ctx:
Master-Key:
22DD76F58F478197E503F2F40A873206F8790404B251A059C9A9E5F3A43E319284BF55A3EE5105954ADA395E9D30C8D5
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1546812480
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
250 HELP
helo
250 <sub>.r4l.com Hello <my router?> [<my router's IP>]
auth login
503 AUTH command used when not advertised
with similar errors for any other command I try.
I can understand 587 not working. It's not supposed to be used for
encrypted connections with this server. However I am not getting
anywhere with port 465.
Any ideas?
