Mailing List Archive

setting up exim4 to send mail through r4l.com
This e-mail address used to be just a forwarder to a local ISP.
Unfortunately that service went down a while ago and won't be up until
at least tomorrow. This prompted me to make this into a real e-mail
address through my domain host (registerforless - r4l.com).

That in turn prompted me to reinstall exim4 in the hopes that I could
once again use it to handle some e-mail tasks that I perform on behalf
of some service organizations (sending customized e-mails "from" the
organization to individual e-mail addresses). I use a generic "mail"
name for this, which is also a real e-mail address through my domain host.

I can send and receive e-mail through this address using Thunderbird so
I know the basics of configuring it. Unfortunately I'm bit out of my
depth when configuring exim4 in this case. I was able to get it to
successfully work with without ssl/tls but when I try to use ssl/tls, it
fails.

Without ss/tls, my server is mail.extremeground.com:587. I can send
e-mail this way but in order to use ssl/tls, my smtp server is in the
r4l.com domain and uses port 465. I therefore updated
update-exim4.conf.conf to set the smarthost set as

    dc_smarthost='<r4l server name>.r4l.com::465'

Following the https://wiki.debian.org/Exim#Configuration, I set up a
self-generated certificate and added

    MAIN_TLS_ENABLE = yes

to the exim4.conf.template. I also added the line to /etc/default/exim4
to listen on port 465 and set the port in the .template file then
updated the exim4 configuration and restarted the service.

I've tried using s-nail to send test messages since it allows you to
override the "from" header as such:

s-nail -s 'yet another test as regular user' -r mail@extremeground.com
garydale@rogers.com  < garydale.text

This should be the simplest case - the from address is the address I'm
trying to use and is also the e-mail address I mentioned in the
certificate. Unfortunately my mail goes nowhere.

I've done some playing around with swaks and with the certificates to
try various things but without luck. I tried this several years ago with
a different e-mail provider and got similar results - I could send
e-mail without ssl/tls but not with it. Back then, the provider needed
STARTTLS. I was hoping this would be simpler...

Any ideas?


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: setting up exim4 to send mail through r4l.com [ In reply to ]
On 05/01/2019 23:34, Gary Dale via Exim-users wrote:
> Without ss/tls, my server is mail.extremeground.com:587. I can send
> e-mail this way but in order to use ssl/tls, my smtp server is in the
> r4l.com domain and uses port 465.

In thunderbird config, you more-likely want STARTTLS than SSL/TLS for
the outbound smtp server settings. That's what is traditionally used
on 587. 465 is used for TLS-on-connect and is a bit less common
(Exim can handle it just fine, but requires specific configuration
to enable it).
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: setting up exim4 to send mail through r4l.com [ In reply to ]
On 2019-01-06 8:48 a.m., Jeremy Harris via Exim-users wrote:
> On 05/01/2019 23:34, Gary Dale via Exim-users wrote:
>> Without ss/tls, my server is mail.extremeground.com:587. I can send
>> e-mail this way but in order to use ssl/tls, my smtp server is in the
>> r4l.com domain and uses port 465.
> In thunderbird config, you more-likely want STARTTLS than SSL/TLS for
> the outbound smtp server settings. That's what is traditionally used
> on 587. 465 is used for TLS-on-connect and is a bit less common
> (Exim can handle it just fine, but requires specific configuration
> to enable it).
You've missed the point. My e-mail smarthost uses 587 for unencrypted
connections but 465 for encrypted. Using Thunderbird with ssl/tls on
port 465 works. It's the Exim4 (encrypted) configuration I need help with.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: setting up exim4 to send mail through r4l.com [ In reply to ]
On 2019-01-06 2:51 p.m., Jeremy Harris wrote:
> On 06/01/2019 19:34, Gary Dale via Exim-users wrote:
>> You've missed the point. My e-mail smarthost uses 587 for unencrypted
>> connections but 465 for encrypted. Using Thunderbird with ssl/tls on
>> port 465 works. It's the Exim4 (encrypted) configuration I need help
>> with.
> Oh, right. You're using Exim as a client here. So it's the transport
> configuration that matters:
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146
>
> For the relevant transport in your config you'll need to
> set the "protocol" option to "smtps" to get TLS-on-connect.
> Quite where that is in you Debian-derived config I can't tell you.
> I'd not be at all surprised if the Debian configurator front-end
> knows about the possibility.

Yes. I forgot to mention that I've done that too. I added it to
exim4.conf.template then re-ran the configure and restarted the service.
Still no joy.


I also have just tried entering

    openssl s_client -starttls smtp -crlf -connect localhost:25

which I got from
https://serverfault.com/questions/308385/exim-tls-and-secure-smtp. I can
get the expected connection to port 25 but not port 465. When I try
using 465, I get the opening

    CONNECTED(00000003)

then the connection hangs.

When connected to port 25, I get the same message the OP does in his
working example about a self-signed certificate. I'm assuming that is
not the cause of my problems.

Trying another article I found, I entered:

    swaks -a -tls -q HELO -s <sub>.r4l.com:465 -au test -ap '<>'

where <sub> is replaced by the actual subdomain/server named assigned by
r4l. I get

    === Trying <sub>.r4l.com:465...
    === Connected to <sub>.r4l.com.
    <** Timeout (30 secs) waiting for server response
     -> QUIT
    <** Timeout (30 secs) waiting for server response
    === Connection closed with remote host.

With port 25, I never get the connection. With port 587 I get the
connection but it disconnects immediately:

 swaks -a -tls -q HELO -s <sub>.r4l.com:587 -au test -ap '<>'
=== Trying <sub>.r4l.com:587...
=== Connected to <sub>.r4l.com.
<-  220-<sub>.r4l.com ESMTP Exim 4.91 #1 Sun, 06 Jan 2019 17:25:47 -0500
<-  220-We do not authorize the use of this system to transport
unsolicited,
<-  220 and/or bulk e-mail.
 -> EHLO transponder.rahim-dale
<-  250-<sub>.r4l.com Hello <my router> [<my router's IP>]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-AUTH PLAIN LOGIN
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=*.r4l.com"
 ~> EHLO transponder.rahim-dale
<~  250-<sub>.r4l.com Hello <my router> [<my router's IP>]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-AUTH PLAIN LOGIN
<~  250 HELP
 ~> QUIT
<~  221 <sub>.r4l.com closing connection
=== Connection closed with remote host.

Going back to the openssl command, I tried connecting to the remote
server with the same results (465 connects but hangs, 25 doesn't even
connect and 587 connects. Unfortunately 587 still doesn't get me very far:

 openssl s_client -starttls smtp -crlf -connect <sub>.r4l.com:587
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.r4l.com
verify return:1
---
Certificate chain
 0 s:CN = *.r4l.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----

<snip>

-----END CERTIFICATE-----
subject=CN = *.r4l.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3433 bytes and written 463 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
A33DD10363ACFD8A2D977FF3DE763AA6F83045589B6DBFCB2036EBA93F5F3B4A
    Session-ID-ctx:
    Master-Key:
22DD76F58F478197E503F2F40A873206F8790404B251A059C9A9E5F3A43E319284BF55A3EE5105954ADA395E9D30C8D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1546812480
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 HELP
helo
250 <sub>.r4l.com Hello <my router?> [<my router's IP>]
auth login
503 AUTH command used when not advertised

with similar errors for any other command I try.

I can understand 587 not working. It's not supposed to be used for
encrypted connections with this server. However I am not getting
anywhere with port 465.

Any ideas?


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: setting up exim4 to send mail through r4l.com [ In reply to ]
On 2019-01-06 2:51 p.m., Jeremy Harris wrote:
> On 06/01/2019 19:34, Gary Dale via Exim-users wrote:
>> You've missed the point. My e-mail smarthost uses 587 for unencrypted
>> connections but 465 for encrypted. Using Thunderbird with ssl/tls on
>> port 465 works. It's the Exim4 (encrypted) configuration I need help
>> with.
> Oh, right. You're using Exim as a client here. So it's the transport
> configuration that matters:
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html#SECID146
>
> For the relevant transport in your config you'll need to
> set the "protocol" option to "smtps" to get TLS-on-connect.
> Quite where that is in you Debian-derived config I can't tell you.
> I'd not be at all surprised if the Debian configurator front-end
> knows about the possibility.

Yes. I forgot to mention that I've done that too. I added it to
exim4.conf.template then re-ran the configure and restarted the service.
Still no joy.


Got a connection to the remote host using:

    openssl s_client -connect smtp -crlf -connect <sub>.r4l.com:465

From there I was able to login and send an e-mail (once I'd figured out
that I needed to follow the helo with an ehlo). The connection showed
the remote server's certificate information so I think it was encrypted.

This brings me back to the exim4 configuration. I tried putting

    REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *

in the exim4.conf.localmacros file so that the section

    .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
      hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
      protocol = smtps
    .endif

would be triggered in exim4.conf.template but when I look in
/var/lib/exim4/config.autogenerated, the section is simply copied (with
the enclosing .ifdef...endif) making me wonder if it is being run.
However the line from .localmacros is copied at the top, so it should
be. I guess the file is interpreted rather than simply being loaded by
the exim4 service.

At any rate, I think I've got everything right but I can't get it to
actually send mail...

Any idea?


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: setting up exim4 to send mail through r4l.com [ In reply to ]
Hi Gary

Since you use Debian, see the corresponding documentation in Section 2.2
in /usr/share/doc/exim4/README.Debian.gz. This should help.

Best Regards, Adrian.

On 06.01.19 00:34, Gary Dale via Exim-users wrote:
> This e-mail address used to be just a forwarder to a local ISP.
> Unfortunately that service went down a while ago and won't be up until
> at least tomorrow. This prompted me to make this into a real e-mail
> address through my domain host (registerforless - r4l.com).
[...]

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: setting up exim4 to send mail through r4l.com [ In reply to ]
Gary Dale via Exim-users <exim-users@exim.org> wrote:
[...]
> You've missed the point. My e-mail smarthost uses 587 for unencrypted
> connections but 465 for encrypted. Using Thunderbird with ssl/tls on
> port 465 works. It's the Exim4 (encrypted) configuration I need help with.

Your e-mail smarthost does offer TLS on 587:

ametzler@argenau:~$ swaks -q ehlo -s mail.extremeground.com -p 587 -tls
=== Trying mail.extremeground.com:587...
=== Connected to mail.extremeground.com.
<- 220-ahs5.r4l.com ESMTP Exim 4.91 #1 Mon, 07 Jan 2019 13:41:41 -0500
<- 220-We do not authorize the use of this system to transport unsolicited,
<- 220 and/or bulk e-mail.
-> EHLO argenau.bebt.de
<- 250-ahs5.r4l.com Hello 194-166-231-60.adsl.highway.telekom.at [194.166.231.60]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-AUTH PLAIN LOGIN
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=*.r4l.com"
[...]

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/