Pkg exim4 users - Aug 2005 - using TLS/SSL with exim4 under debian

reetings,

I am trying to set up exim4 on debian to use TLS/SSL. But I cannot 
connect to my server, which works otherwise. I followed this 
documentation which is on my debian system with documents relating to 
exim4;

"How to enable TLS support for exim as server
------
You should have created certificates in /etc/exim4/ either by hand
or by usage of the exim-gencert (which requires openssl).
exim-gencert is shipped in /usr/share/doc/exim4-base/examples/ and
takes care of proper access privileges on the private key file."

=> I used exim-gencert which produced exim.crt and exim.key

"Now, enable TLS by setting the macro MAIN_TLS_ENABLE in a local
configuration file (documented below)."

=> This is where I am having problems. By "setting the macro" what
do
you mean? And which local configuration file? There are quite a few. 
The template file? The conf.conf file? Or under the conf.d directory?

"It might be appropriate to add "+tls_cipher +tls_peerdn" to any
log_selector statement you might already have, or to add a
log_selector statement setting these two options in a local
configuration file. These options have exim log what cipher your exim
and the peer''s mailer have negotiated to use to encrypt the
transaction, and they have exim log the Distinguished Name of the
peer''s certificate."

This is greek to me. What are log_selector statements?

Thanks for any help.

Jeremiah Foster

On 2005-08-23 Jeremiah Foster <jeremiah.foster@gmail.com> wrote:
[...]
> "Now, enable TLS by setting the macro MAIN_TLS_ENABLE in a local
> configuration file (documented below)."
> => This is where I am having problems. By "setting the macro"
what do
> you mean? And which local configuration file? There are quite a few. 
> The template file? The conf.conf file? Or under the conf.d directory?
Depends on whether you are using split configuration.

a) you are. dc_use_split_config=''true'' in
/etc/exim4/update-exim4.conf.conf.

echo "MAIN_TLS_ENABLE = true" >> /etc/exim4/conf.d/main/00_local

b) you are not. dc_use_split_config=''false''

echo "MAIN_TLS_ENABLE = true" >>
/etc/exim4/exim4.conf.localmacros
> "It might be appropriate to add "+tls_cipher +tls_peerdn" to
any
> log_selector statement you might already have, or to add a
> log_selector statement setting these two options in a local
> configuration file. These options have exim log what cipher your exim
> and the peer''s mailer have negotiated to use to encrypt the
> transaction, and they have exim log the Distinguished Name of the
> peer''s certificate."
> This is greek to me. What are log_selector statements?
http://www.exim.org/exim-html-4.50/doc/html/spec_14.html#IX1253
                 cu andreas
-- 
"See, I told you they''d listen to Reason," [SPOILER] Svfurlr
fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Hi

So sorry to hijack this thread.

But my question is, to use TLS/ SSL., obviously I need a cert. BUT Do I have to
it signed with a CA like Thwate / verisign etc.

I would like to use TLS / SSL on my public mailing list. I currently have mail
been sent / received with my current exim4 relay, but I would like to a secure
the mail.

I had a look at the Exim4 doc, and it doesnt look that complicated in setting
up. Its just the policy of the cert that im not sure of.

I cant afford for my mail to be rejected etc.

Would anyone have any docs to share some clarrity on why / how / when etc when
using TLS / SSL certs.

On Aug 23, 2005, at 3:46 PM, Brent Clark wrote:
> Hi
>
> So sorry to hijack this thread.
>
> But my question is, to use TLS/ SSL., obviously I need a cert. BUT Do 
> I have to it signed with a CA like Thwate / verisign etc.
>
No, you can self sign or you can use a free authority li CAcert - 
http://www.cacert.org
> I would like to use TLS / SSL on my public mailing list. I currently 
> have mail been sent / received with my current exim4 relay, but I 
> would like to a secure the mail.
>
> I had a look at the Exim4 doc, and it doesnt look that complicated in 
> setting up. Its just the policy of the cert that im not sure of.
>
If you are using debian you can follow thier instructions which appear 
to be pretty good, although I cannot get it to work for me just yet. 
Look at /usr/share/doc/exim4/README.debian
> I cant afford for my mail to be rejected etc.
>
> Would anyone have any docs to share some clarrity on why / how / when 
> etc when using TLS / SSL certs.
>
I will leave it to someone more experienced to answer this question.

On Aug 23, 2005, at 7:33 PM, Andreas Metzler wrote:
>  [...]
>
> [...]
>>> echo "MAIN_TLS_ENABLE = true" >>
/etc/exim4/exim4.conf.localmacros
>
>> So I assume that I should follow example b, which is what I have done.
>> (There was no /etc/exim4/exim4.conf.localmacros file previously.) I
>> assume one needs to restart exim4 again? I will use /etc/init.d/exim4
>> restart for this.
>
> Both /etc/init.d/exim4 restart or /etc/init.d/exim4 reload should
> work.
>                   hth, cu andreas
Thanks again Andreas. Unfortunately I am still having trouble. My 
/etc/exim4/exim4.conf/localmacros looks like this;

$ cat /etc/exim4/exim4.conf.localmacros
MAIN_TLS_ENABLE = true

Have I forgotten a step?

Jeremiaih

On 2005-08-23 Jeremiah Foster <jeremiah.foster@gmail.com> wrote:
[...]
> Thanks again Andreas. Unfortunately I am still having trouble. My 
> /etc/exim4/exim4.conf/localmacros looks like this;
> $ cat /etc/exim4/exim4.conf.localmacros
> MAIN_TLS_ENABLE = true
Looks good.
> Have I forgotten a step?
"I am still having trouble" is quite unspecific. What works, what
doesn''t, how did you test, what does the logfile say?

Does exim advertise TLS?
---------
telnet insert.host.name.here 25
ehlo foo
quit
---------
should contain:
250-STARTTLS

Does TLS work? Install swaks and libnet-ssleay-perl and run
swaks -s insert.host.name.here -tls -q ehlo
               cu andreas

-- 
"See, I told you they''d listen to Reason," [SPOILER] Svfurlr
fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

On Tue, Aug 23, 2005 at 03:46:50PM +0200, Brent Clark
wrote:
> But my question is, to use TLS/ SSL., obviously I need a cert. BUT Do I 
> have to it signed with a CA like Thwate / verisign etc.
No, you don''t. I have yet to see an MX that does certificate
validation.

I have seen smarthosts who insist on seeing a valid and signed client
certificate before relaying for a client, and I have seen clients
complaining about an "untrusted" certificate when doing SMTP AUTH.

But, certificate validation in SMTP traffic between servers has no
market relevance.
> I would like to use TLS / SSL on my public mailing list. I currently have 
> mail been sent / received with my current exim4 relay, but I would like to 
> a secure the mail.
Explain what you mean by "secure". If you have arbitrary users on the
mailing list, chances are that they are on big freemailers whose MXs
don''t support TLS. Do you want to send unencrypted to them, or do you
want to refrain from sending there at all?

Additionally, if some of your users use mail forwarding, you cannot
control the continuing legs of transmission.

If you want to secure your content, use application-level end-to-end
encryption.
> I had a look at the Exim4 doc, and it doesnt look that complicated in 
> setting up. Its just the policy of the cert that im not sure of.
> 
> I cant afford for my mail to be rejected etc.
So you can only offer TLS and do it if the other side can do TLS.
> Would anyone have any docs to share some clarrity on why / how / when etc 
> when using TLS / SSL certs.
Sure. As soon as you share some clarity about what you intend to do.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On Aug 24, 2005, at 11:57 AM, Andreas Metzler wrote:
>
>> [..]
>
> "I am still having trouble" is quite unspecific. What works, what
> doesn''t, how did you test, what does the logfile say?
>
> Does exim advertise TLS?
> ---------
> telnet insert.host.name.here 25
> ehlo foo
> quit
> ---------
> should contain:
> 250-STARTTLS
Yes it does contain 250-STARTTLS

root@devmodul:~# telnet devmodul.com 25
Trying 127.0.0.1...
Connected to devmodul.com.
Escape character is ''^]''.
220 devmodul.com ESMTP Exim 4.50 Wed, 24 Aug 2005 12:02:50 +0200
EHLO foo
250-devmodul.com Hello localhost.johncompanies.com [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
> Does TLS work? Install swaks and libnet-ssleay-perl and run
> swaks -s insert.host.name.here -tls -q ehlo
Yes, TLS works;

root@devmodul:~# swaks -s devmodul.com -tls -q ehlo
=== Trying devmodul.com:25...
=== Connected to devmodul.com.
<-  220 devmodul.com ESMTP Exim 4.50 Wed, 24 Aug 2005 12:08:13 +0200
  -> EHLO devmodul.com
<-  250-devmodul.com Hello localhost.johncompanies.com [127.0.0.1]
<-  250-SIZE 52428800
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
  -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
  ~> EHLO devmodul.com
<~  250-devmodul.com Hello localhost.johncompanies.com [127.0.0.1]
<~  250-SIZE 52428800
<~  250-PIPELINING
<~  250 HELP
  ~> QUIT
<~  221 devmodul.com closing connection



Jeremiah Foster

http://www.devmodul.com
jeremiah.foster@devmodul.com
Tel/Mobil: +46 (0)730 930 506

On Wed, Aug 24, 2005 at 12:21:13PM +0200, Jeremiah Foster
wrote:
> On Aug 24, 2005, at 11:57 AM, Andreas Metzler wrote:
> >"I am still having trouble" is quite unspecific. What works,
what
> >doesn''t, how did you test, what does the logfile say?
The issue was an ISP blocking outgoing TCP/25 and an exim not
listening on TCP/587. It has been diagnosed and solved on IRC.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835