Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

TLS Question

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


sven at gegg

May 31, 2003, 10:02 AM

Post #1 of 7 (958 views)
Permalink
TLS Question
Hi there,

In a setup of two computers one machine with a fixed IP-Adress and a
permanent connection to the Internet is used as MX while the other machine
is using dynDNS and is connected to the Internet only mot of the time with
changing IP-Addresses.

The goal I want to achieve is to automaticaly forward all incoming Email to
the machine using dynDNS.

That's where TLS comes to mind, because there is an unlikely but possible
case, where the dynDNS Machine is not the one I expect it to be!

In this case the Email has to be kept in exims Mailqueue on the MX Machine.

The Question is now how to achieve this Setup.

TLS works on both machines but is not yet using client certificates.

I have set up tls_certificate and tls_privatekey. These are two different
Keys on any of the two machines and both crtificates are signed by the same
(my own) CA.

Talking about clients an Servers now I would like to know which of the two
machines is the client and which one is the Server as far as incomming Email
is concerned?

I made the assumption, that the dynDNS Machine is the Server.

That means, that SMTP-auth is not sufficient for this scenario, because the
server needs to authenticate the client and not vice versa.

Would it be possible to achieve this goal using TLS client certificates
instead of SMTP-auth?

Sven

--
Why are there so many Unix-haters-handbooks and not even one
Microsoft-Windows-haters handbook?
Gurer vf ab arrq sbe n unaqobbx gb ungr Zvpebfbsg Jvaqbjf!
/me is giggls [at] ircne, http://sven.gegg.us/ on the Web


sven at svenhartge

Feb 2, 2010, 5:05 PM

Post #2 of 7 (943 views)
Permalink
Re: TLS question [In reply to]
On 03.02.2010 01:45, Eric A. Boney wrote:

> I am trying to send email from my server using a Ruby Rails application. The
> application uses ActionMailer to send out an authentication email. Even though
> the method is supposed to support TLS I am getting issues on my server that is
> rejecting the email.

Show log, get better help. Please don't obfuscate anything.

> So I am wondering if there is a way to not require TLS for a specific host? I
> have tried using host_avoid_tls = my.localhost.com in my transport but it
> still seems to deny the connection for my host.

transports are for outgoing mails, but you need to configure your Exim
for incoming mails.

> I know the hostname and the ip address of the specific machine that will be
> attempting to send the email. Is there anyway possible to make exim accept it
> without using TLS?

First, have a look at "tls_advertise_hosts" and then at
"auth_advertise_hosts"

Example from my config:

# Advertise TLS to everyone but 10.19.78.1
tls_advertise_hosts = !10.19.78.1 : *

# Advertise AUTH only if $tls_cipher is set
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

In your case, you need to adapt those two settings.
(Of course, allowing non-CHAP-AUTH without TLS is a potentially bad idea.)

Grüße,
Sven.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


mailinglists at vanhlebarsoftware

Feb 2, 2010, 7:27 PM

Post #3 of 7 (944 views)
Permalink
Re: TLS question [In reply to]
> Show log, get better help. Please don't obfuscate anything.
The relevant lines for this email are below.

2010-02-02 22:12:34 no host name found for IP address 192.168.1.1
2010-02-02 22:12:34 TLS recv error on connection from [192.168.1.1]: A TLS
packet with unexpected length was received.
2010-02-02 22:12:34 TLS send error on connection from [192.168.1.1]: The
specified session has been invalidated for some reason.

> In your case, you need to adapt those two settings.
> (Of course, allowing non-CHAP-AUTH without TLS is a potentially bad idea.)
>
> Grüße,
> Sven.

Yea I know, which is why I really want to try and find away to actually get
this working with TLS or making it so that the machine, which is behind my
firewall, not having to use TLS to send out emails. I will check out the
documentation for the items you mentioned, but if you have any other feedback,
please feel free to send it along. :)

Thanks,
-Eric

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


hs at schlittermann

Feb 2, 2010, 10:01 PM

Post #4 of 7 (942 views)
Permalink
Re: TLS question [In reply to]
Eric A. Boney <mailinglists [at] vanhlebarsoftware> (Mi 03 Feb 2010 04:27:26 CET):
> > Show log, get better help. Please don't obfuscate anything.
> The relevant lines for this email are below.
>
> 2010-02-02 22:12:34 no host name found for IP address 192.168.1.1
> 2010-02-02 22:12:34 TLS recv error on connection from [192.168.1.1]: A TLS
> packet with unexpected length was received.
> 2010-02-02 22:12:34 TLS send error on connection from [192.168.1.1]: The
> specified session has been invalidated for some reason.

I'm guessing that your're connecting to a „tls_on_connect“ port (mostly
465 is used for that). This requires the immediate start of an SSL
handshake. (simulate this with „openssl s_client -connect <HOST:PORT>“)

Probably your application expects to use SMTP + TLS, thus first starting
clear text communication (EHLO, …) and than starting an explicit TLS
session (sending the STARTTLS command).

You can debug the several possibilities with swaks (running on your
client host) and using --tls and --port options.

The other option you're probably looking for is „tls_advertise_hosts“,
it is expanded and could contain any but your client host.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
Attachments: signature.asc (0.19 KB)


hs at schlittermann

Feb 2, 2010, 10:02 PM

Post #5 of 7 (943 views)
Permalink
Re: TLS question [In reply to]
Heiko Schlittermann <hs [at] schlittermann> (Mi 03 Feb 2010 07:01:32 CET):
> The other option you're probably looking for is „tls_advertise_hosts“,
> it is expanded and could contain any but your client host.

But I'd say, this never ever could work in a „tls_on_connect_port“.
There is no TLS advertisement.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
Attachments: signature.asc (0.19 KB)


chris+exim at qwirx

Feb 3, 2010, 12:23 AM

Post #6 of 7 (929 views)
Permalink
Re: TLS question [In reply to]
Hi Eric,

On Tue, 2 Feb 2010, Eric A. Boney wrote:

> I am trying to send email from my server using a Ruby Rails application.
> The application uses ActionMailer to send out an authentication email.
> Even though the method is supposed to support TLS I am getting issues on
> my server that is rejecting the email.
>
> So I am wondering if there is a way to not require TLS for a specific
> host? I have tried using host_avoid_tls = my.localhost.com in my
> transport but it still seems to deny the connection for my host.

Not requiring TLS is not the same as not allowing it. Even if you don't
require it, Rails' ActionMailer will use it if it's offered. The easiest
way to fix it is to disable that behaviour in the rails application by
adding the following to config/environment.rb:

ActionMailer::Base.smtp_settings = {
:domain => "my.host.name",
:enable_starttls_auto => false
}

> I know the hostname and the ip address of the specific machine that will
> be attempting to send the email. Is there anyway possible to make exim
> accept it without using TLS?

Of course, you must accept email without TLS as well, but that is the
default, so if you've changed it then you must know how you did so, to be
able to undo it.

Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


mailinglists at vanhlebarsoftware

Feb 3, 2010, 1:04 AM

Post #7 of 7 (934 views)
Permalink
Re: TLS question [SOLVED] [In reply to]
> Hi Eric,
>
> On Tue, 2 Feb 2010, Eric A. Boney wrote:
> > I am trying to send email from my server using a Ruby Rails application.
> > The application uses ActionMailer to send out an authentication email.
> > Even though the method is supposed to support TLS I am getting issues on
> > my server that is rejecting the email.
> >
> > So I am wondering if there is a way to not require TLS for a specific
> > host? I have tried using host_avoid_tls = my.localhost.com in my
> > transport but it still seems to deny the connection for my host.
>
> Not requiring TLS is not the same as not allowing it. Even if you don't
> require it, Rails' ActionMailer will use it if it's offered. The easiest
> way to fix it is to disable that behaviour in the rails application by
> adding the following to config/environment.rb:
>
> ActionMailer::Base.smtp_settings = {
>
> :domain => "my.host.name",
> :enable_starttls_auto => false
>
> }
>
> > I know the hostname and the ip address of the specific machine that will
> > be attempting to send the email. Is there anyway possible to make exim
> > accept it without using TLS?
>
> Of course, you must accept email without TLS as well, but that is the
> default, so if you've changed it then you must know how you did so, to be
> able to undo it.
>
> Cheers, Chris.
>
Thanks all for the help. It appears this was actually a Rails issue after all
and nothing to do with my exim4 server setup. After hours of research there
was a plugin that needed to be installed to get it to work, even though every
piece of documentation that I read said that is should just plain work out of
the box with my version numbers.

Thanks again for the help.

-Eric

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.