On Sat, Jun 28, 2025 at 11:11:42PM +0100, Andrew C Aitchison via Exim-users
wrote:
> > When using stunnel to setup the encrypted link between this box
> > and the smarthost, am I correct in assuming that exim, itself, is
> > only now working with old-school plain text, talking through
> > stunnel's tls translation engines which do all the en/decryption?
> >
> > Am I also correct in that exim4 will need to be still set
> > to 587 which is what this smarthost communicates on. If my
> > limited knowledge of TCP/IP serves me correctly, the port numbers
> > are in the packet headers so stunnel probably leaves those
> > however your application sets them.
No, there is no requirement to use the same port on the input and output
sides of stunnel. It is not performing IP packet encryption, it
encrypts a pair of TCP streams (one in each direction) inside a single
TLS connection carried over TCP.
> I've never tried this and I may very well be wrong, but I think
> you need stunnel to listen to exim on a port of your choice
Yes, any input port will do,
> and make a connection to port 465 since with port 587 the SMTP greeting
> comes before the TLS encryption.
It is simpler to use port 465 when supported by the remote smarthost,
but stunnel also supports SMTP STARTTLS. See "protocol = smtp" in
https://www.stunnel.org/static/stunnel.html
Generally, do instruct stunnel to *verify* the remote certificate:
verifyChain = yes
checkHost = <fqdn>
CAfile = <file>
CApath = <directory>
--
VIktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
