mailinglists at vanhlebarsoftware
Aug 26, 2008, 10:44 AM
Post #3 of 4
(387 views)
Permalink
|
Hi Dan:
Thanks for the direction. I actually had to remove the following (well
commented them out actually)
tls_verifycertificates
tls_verify_hosts
tls_try_verify_hosts
I am not sure why I had to do that, but then again I am not really
following the documentation very well here that I have read. I am
guessing that these three are to be used if I where supplying a
certificate from my client to Exim4, which I am not. I am just trying to
get a secure connection so that the username/password are not passed in
clear text over the transmission and not having to open up any type of
relay hosts on my server.
I am now able to email from my phone, and any other sites that I use
email from without having to specify any relay-from-hosts items.
Thanks again for the help, that was pretty much my last issue that I had
with my email server.
The only remaining open item that I need to track down is why every time
I connect to my mail server I am asked to accept the certificate, even
though I have already done that. I think it also has something to do
with the fact that I currently have two different domains on this
machine ericbonney.com and bonneycpa.com but the certificate is for
bonneycpa.com. More research to be done there, but that is just a minor
annoyance. :)
Thanks again.
-Eric
Dan_Mitton [at] YMP wrote:
> Eric,
>
> I'm not positive here, but try removing the 'tls_verifycertificates' from
> your configuration. If I'm reading the doc right, I believe that is used
> to verify the sending client certificates. Is Thunderbird using the same
> mycert.crt?
>
> See:
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch39.html#SECID183
>
> Dan
>
>
>
> Please respond to mailinglists [at] vanhlebarsoftware
> Sent by: exim-users-bounces [at] exim
> To: exim-users [at] exim
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: [exim] Help with TLS and SMTP
> LSN: Not Relevant
> User Filed as: Not a Record
>
> I am trying to force my users to use TLS when sending out any emails.
> They must authenticate against my MySQL tables also. I think I have the
> authentication stuff down, but I am having issues with the TLS part of
> it. I created a .crt and .key file with the following command:
>
> openssl req -x509 -newkey rsa:1024 -keyout mycert.key -out mycert.crt
> -days 365 -nodes
>
> I then put the .key/.crt file in my /etc/exim4 directory and made sure
> that they where both owned by root, but readable by the user used to run
> the exim4 process.
>
> in my .conf file for exim here is what I have for the tls options:
>
> tls_advertise_hosts = *
> tls_certificate = /etc/exim4/mycert.crt
> tls_privatekey = /etc/exim4/mycert.key
> tls_verifycertificates = /etc/exim4/mycert.crt
> tls_verify_hosts = *
> tls_try_verify_hosts = *
>
> In my acl_check_rcpt I have the following:
> require
> message = relay not permitted
> domains = +local_domains : +relay_to_domains
>
> I am not sure what else I should give in order to make this be complete.
> When I telnet into the port and then issue a ehlo example.com command I
> get the following:
> 250-SIZE 52428800
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
>
> When I try to send an email from Thunderbird using one of the domains I
> am hosting I get the following error:
> Sending of message failed.
> The message could not be sent because connection to SMTP server
> mail.example.com failed. The server may be unavailable or is refusing
> SMTP connections. Please verify that your SMTP server setting is correct
> and try again, or else contact your network administrator.
>
> Lastly, the error that is recorded in the logs is as follows:
> TLS error on connection from ([xxx.xxx.x.xxx]) [xxx.xxx.x.xxx]
> (gnutls_handshake): A TLS warning alert has been received.
>
> Sorry for the long email, but I wanted to try and get as much
> information as I currently have to the list. Any help is appreciated and
> if there is anything else that I can provide, please just ask.
>
> Thanks,
> -Eric
>
>
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
|
