On Sun, 2 Jun 2013 19:53:59 -0400, Chris Knadle <chris.kna...@coredump.us> wrote: >On Sunday, June 02, 2013 17:10:02, Marc Haber wrote: >> Exim's default in the packages is not to send authentication data over >> a non-encrypted connection. The debconf code could try to check >> whether the smarthost allowes TLS, and if not, query the user whether >> it is ok to send the password over a non-encrypted connection. > >Yeah I see why this test could be useful; gnutls-bin is listed as a Suggests >by exim4-base, so the TLS libraries may not be locally available.
The TLS libraries are not in gnutls-bin. gnutls-bin contains debugging tools. Exim can, of course, use encryption by default. >The normal way I know to check for TLS availability is to telnet to the SMTP >port, give an "EHLO <FQDN>" (and it must be an EHLO) or "EHLO [<IP_address>]", >and then look for a "STARTTLS" advertisement in the response from the server. >Unfortunately this isn't always possible; some systems filter telnet from >reaching the MTA. Selinux? or how do they do that? >Attempting to use an FQDN is also troublesome, because Exim tries to use DNS >to look up the FQDN, and falls back to using 'uname -n' which returns the >local hostname without a domain name. The SMTP RFCs require the HELO/HELO >information to contain an FQDN or an IP address in [] brackets, and some mail >systems reject connections containing non-conforming HELO/EHLO greetings. Smarthosts are usually a lot more forgiving in that regard. >> > In this example, the FQDN of the local machine is orac.example.com >> > and the smarthost machine is smtp.example.com >> > >> > Create new file /etc/exim4/exim4.conf.localmacros containing: >> > MAIN_TLS_ENABLE = true >> > primary_hostname = orac.example.com >> >> I don't think you need MAIN_TLS_ENABLE to to TLS as a client. > >Tested this... looks like this is true. :-) Cool. [I'm pretty sure this >wasn't always the case, but I'm glad it is now.] Afair, it was always the case. >> You can set sc_smarthost to hostname::587 without having to change the >> transport, see update-exim4.conf(8) or the debconf template for >> dc_smarthost. > >Sweet. Thanks! This really helps because it means I can avoid having to >modify exim4.conf.template altogether, which will simplify upgrades Indeed. The configuration was carefully crafted to allow this. >> > On the mail server machine (i.e. smtp.example.com), make an MD5 >> > >> > passowrd hash of the password used on the client machine via command: >> > #mkpasswd -H md5 SillyPassword >> > $1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1 >> > >> > Then modify /etc/exim4/passwd on the server to add a >> > >> > username:hashed_passwd:passwd triplet for the client: >> > Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword >> >> You also can a more modern hash if the server is Debian exim as well. > >The exim4_files(5) man page recommends MD5, which is why I was using it, and >thee README.Debian.gz document simply refers to this man page. However >crypt(3) indicates that sha-256 is supported too, so I tried it with Exim's >passwd file... sure enough, that works. ;-) I have committed a fix for the manpage that hasn't been touched in years. I hope that I pushed to the correct repository. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1ukjui-0000n6...@swivel.zugschlus.de