Re: exim failure

Sun, 26 Mar 2023 13:03:18 -0700 

In-reply-to: <ZB/Lbgn/3oe2l...@axis.corp>
References: <zb52j1agugbum...@axis.corp> <5319ac62b1294b2290d3d14a6cd8b...@easthope.ca> <ZB/Lbgn/3oe2l...@axis.corp> 

    From: David Wright <deb...@lionunicorn.co.uk>
    Date: Sat, 25 Mar 2023 23:34:54 -0500

In the first instance, just try sending a test message using the
commands I gave, except starting off with:

$ openssl s_client -crlf -connect mail.easthope.ca:465

After the certificate stuff, you should then see lines like:
...
And you carry on from there with:

 AUTH PLAIN encodedstring


The test message was transmitted.  Good!

(1) Section 1. in
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
has "email submission but with TLS immediately upon connect instead of
using STARTTLS" is officially blessed by the IETF, and recommended by
them in preference to STARTTLS.

From the tests, my conclusion is that Island Hosting requires
TLS-on-connect & STARTTLS won't work.  Consistent with the IETF
recommendation.

Now all that's needed is to configure exim properly.

/usr/share/doc/exim4-base/README.Debian.gz should be a good starting
point for documentation but leaves several questions.

(2) 2.1.1. The Debconf questions
"Since you can usually read this file only after having answered the
questions ..." What file?

I infer as central concept of the paragraph, "Command 'dpkg-reconfigure
exim4-config' takes as input
/usr/share/doc/exim4-base/exim4.conf.template and responses from the
user and produces as output
/usr/share/doc/exim4-base/update-exim4.conf.conf."

(3) "Both exim4-daemon-heavy and exim4-daemon-light support TLS/SSL
using the GnuTLS library."  Isn't openssl the default in Debian?  What
is the purpose of this sentence about GnuTLS?

(4) "TLS on connect is not natively supported."  OK but the test
confirmed that it can work.  Documentation could tell how to
configure. Otherwise link to instructions at least.


(5) 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html

states "There is also a -tls-on-connect command line option. This
overrides tls_on_connect_ports; it forces the TLS-only behaviour for
all ports."  Connection from the local MUA to exim isn't encrypted.
The command line option will block that?

What ideas are there to configure TLS-on-connect for localhost to
smarthost and leave MUA to localhost unencrypted on port 25?

Thanks,                            ... P.























					Reply via email to