Mailing List Archive

exim4 smarthost with ssl
Hi,

I have a stock Debian (6) with Exim4 (4.71) which I use as a smarthost
to my ISP (verizon). They are switching to SSL on port 465 and I am
having a hard time getting exim4 to cooperate. (previously they were
using STARTTLS on port 587 which worked just fine)

I am getting infinite deferrals and connection timeouts.... Googling my
problems suggests that exim4 needs to be run with stunnel but most of
those posts are ancient so I'm hoping that exim does indeed support this
configuration independently.

I am no expert but I suspect that the remote server is waiting for exim4
to initiate the SSL handshake (?). Excerpt from mainlog:

2013-06-08 09:07:03 [25398] 1UlImR-0006bc-70 SMTP timeout while
connected to smtp.verizon.net [206.46.232.100] after initial connection:
Connection timed out
2013-06-08 09:07:03 [25397] 1UlImR-0006bc-70 == eelboy@aol.com
R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out:
SMTP timeout while connected to smtp.verizon.net [206.46.232.100] after
initial connection

Any help/advice greatly appreciated - thanks!



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
On 2013-06-08, eelboy <eelboy@aol.com> wrote:
> Hi,
>
> I have a stock Debian (6) with Exim4 (4.71) which I use as a smarthost
> to my ISP (verizon). They are switching to SSL on port 465 and I am
> having a hard time getting exim4 to cooperate. (previously they were
> using STARTTLS on port 587 which worked just fine)

That seems like a backwrds step by them 456+ssl is deprecated.

anyway, in your smtp transport :

# port= unset or 465
protocol=smtps

but for debian

zless /usr/share/doc/exim4-config/README.Debian.gz

section 2.2

TLS on connect is not natively supported.

IOW "you can't get there from here"

debian's exim4-config offers no way to activate exim's ssl on connect
capability,



so you have basically two choices, install and configure stunnel or
edit the exim4 config file, unless you're using stunnel for something
else I'd go with option 2

edit /etc/exim4/exim4-conf-template
or /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
depending on wether or not you're using split config

in the file, add after

remote_smtp_smarthost:

this line:

protocol=smtps

then save it and then run

dpkg-reconfigure exim4-config

and remove or ammend the port number setting on the smarthost.

--
⚂⚃ 100% natural

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
On Sun, Jun 9, 2013 at 2:55 PM, Jasen Betts <jasen@xnet.co.nz> wrote:

>
> That seems like a backwrds step by them 456+ssl is deprecated.
>

For something that is deprecated, mail clients seem way too eager to use
that rather than 587 + STARTSSL.

Where I work, we actually had to start supporting it recently, though we
never had before.

So client use of port 465 is on the rise, deprecated though it may be.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
On 2013-06-08 at 11:16 -0400, eelboy wrote:
> I have a stock Debian (6) with Exim4 (4.71) which I use as a smarthost
> to my ISP (verizon). They are switching to SSL on port 465 and I am
> having a hard time getting exim4 to cooperate. (previously they were
> using STARTTLS on port 587 which worked just fine)

You need at least Exim 4.77 to be able to set "protocol = smtps" on the
Transport used.

If switching to Wheezy isn't a solution, then you're likely looking at
adding a patch into your deb build. There are no guarantees that it
will apply cleanly.

http://bugs.exim.org/97
http://git.exim.org/exim.git/commitdiff/061b7ebd7d69db7674f03025d552fa0bedd0fef8

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
hi,
I suppose your ssl certificase are expired, then tcp connection gets
timeout.


On 10 June 2013 07:04, Phil Pennock <exim-users@spodhuis.org> wrote:

> On 2013-06-08 at 11:16 -0400, eelboy wrote:
> > I have a stock Debian (6) with Exim4 (4.71) which I use as a smarthost
> > to my ISP (verizon). They are switching to SSL on port 465 and I am
> > having a hard time getting exim4 to cooperate. (previously they were
> > using STARTTLS on port 587 which worked just fine)
>
> You need at least Exim 4.77 to be able to set "protocol = smtps" on the
> Transport used.
>
> If switching to Wheezy isn't a solution, then you're likely looking at
> adding a patch into your deb build. There are no guarantees that it
> will apply cleanly.
>
> http://bugs.exim.org/97
>
> http://git.exim.org/exim.git/commitdiff/061b7ebd7d69db7674f03025d552fa0bedd0fef8
>
> -Phil
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
Thanks to all for the responses... At this point I think I will try a
build of 4.80 to get it working (from source) and look into a wheezy
update later.

Next task will be to learn the non-Debian configuration syntax of exim4
(sometimes that dpkg-reconfigure comes in quite handy....)

edward

On 06/10/2013 03:04 AM, Phil Pennock wrote:
> On 2013-06-08 at 11:16 -0400, eelboy wrote:
>> I have a stock Debian (6) with Exim4 (4.71) which I use as a smarthost
>> to my ISP (verizon). They are switching to SSL on port 465 and I am
>> having a hard time getting exim4 to cooperate. (previously they were
>> using STARTTLS on port 587 which worked just fine)
> You need at least Exim 4.77 to be able to set "protocol = smtps" on the
> Transport used.
>
> If switching to Wheezy isn't a solution, then you're likely looking at
> adding a patch into your deb build. There are no guarantees that it
> will apply cleanly.
>
> http://bugs.exim.org/97
> http://git.exim.org/exim.git/commitdiff/061b7ebd7d69db7674f03025d552fa0bedd0fef8
>
> -Phil


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
On 2013-06-10 at 11:45 -0400, eelboy wrote:
> Next task will be to learn the non-Debian configuration syntax of exim4
> (sometimes that dpkg-reconfigure comes in quite handy....)

I think that if you just do a final dpkg-reconfigure and grab
/var/lib/exim4/config.autogenerated then you should be able to use that
as your template for Exim, instead of starting with our upstream.

At least then you'll be starting with something you know works for all
other use-cases you have.

Looking at an /var/lib/exim4/config.autogenerated it looks as though the
.ifdef weeds thin out after a bit and by the time you get to the routers
you're mostly looking at Exim configuration, rather than dpkg framework.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim4 smarthost with ssl [ In reply to ]
Just some clarifications, according to my understanding of how Exim works
on a Debian system.

On Mon, Jun 10, 2013 at 11:47 PM, Phil Pennock <pdp@exim.org> wrote:

> On 2013-06-10 at 11:45 -0400, eelboy wrote:
> > Next task will be to learn the non-Debian configuration syntax of exim4
> > (sometimes that dpkg-reconfigure comes in quite handy....)
>
> I think that if you just do a final dpkg-reconfigure and grab
> /var/lib/exim4/config.autogenerated then you should be able to use that
> as your template for Exim, instead of starting with our upstream.
>

Running dpkg-reconfigure should be unnecessary. That is something you do
when you want to change fundamentals in the Exim configuration, not when
you want the autogenerated config file.

The way to generate /var/lib/exim4/config.autogenerated is to run the
following command:

update-exim4.conf

This reads the metaconfig in /etc/exim4/update-exim4.conf.conf (yeah, I
know, just awful), and combines it with either the template file
/etc/exim4/exim4.conf.template, or if you've enabled split config, the
separate files in the /etc/exim4/conf.d/ hierarchy.

Looking at an /var/lib/exim4/config.autogenerated it looks as though the
> .ifdef weeds thin out after a bit and by the time you get to the routers
> you're mostly looking at Exim configuration, rather than dpkg framework.
>

config.autogenerated should be "pure" Exim configuration without any Debian
framework.

That is, config.autogenerated should be possible to use with a standalone,
self-compiled Exim, provided that it is compiled with the same options as
Debian's Exim build.

See also here for more information about Debian's configuration system (for
Exim):

http://pkg-exim4.alioth.debian.org/README/README.Debian.html#id280581
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/