On Sunday, June 02, 2013 17:10:02, Marc Haber wrote:
> On Sat, 1 Jun 2013 15:06:40 -0400, Chris Knadle
>
> <Chris.Knadle@coredump.us> wrote:
> >I can understand why one would want this, but I can also understand why it
> >hasn't been done. Without first setting up TLS, this would involve
> >passing a username/password over the 'net in the clear, which is
> >something I try hard to never ever have happen. This is especially
> >something you don't want to do if it's your own personal email login,
> >which is a likely use case for this proposed debconf code. :-/
>
> Exim's default in the packages is not to send authentication data over
> a non-encrypted connection. The debconf code could try to check
> whether the smarthost allowes TLS, and if not, query the user whether
> it is ok to send the password over a non-encrypted connection.
Yeah I see why this test could be useful; gnutls-bin is listed as a Suggests
by exim4-base, so the TLS libraries may not be locally available.
The normal way I know to check for TLS availability is to telnet to the SMTP
port, give an "EHLO <FQDN>" (and it must be an EHLO) or "EHLO [<IP_address>]",
and then look for a "STARTTLS" advertisement in the response from the server.
Unfortunately this isn't always possible; some systems filter telnet from
reaching the MTA. I don't yet know how to check a remote server for this
using a local Exim binary; there's an -MCT option mentioned in the Exim man
page for this, but it's an option used internally by Exim and not meant to be
used by an external caller.
Attempting to use an FQDN is also troublesome, because Exim tries to use DNS
to look up the FQDN, and falls back to using 'uname -n' which returns the
local hostname without a domain name. The SMTP RFCs require the HELO/HELO
information to contain an FQDN or an IP address in [] brackets, and some mail
systems reject connections containing non-conforming HELO/EHLO greetings.
I think swaks may be able to do this via something like:
swaks --ehlo [192.168.1.1] --server <smarthost_FQDN> -p <port> \
-tls -q TLS
... but swaks is a package Suggested by exim4-base rather than a Depends, so
swaks may not be available for use with debconf.
Let me know if you have suggestions.
> > In this example, the FQDN of the local machine is orac.example.com
> > and the smarthost machine is smtp.example.com
> >
> > Create new file /etc/exim4/exim4.conf.localmacros containing:
> > MAIN_TLS_ENABLE = true
> > primary_hostname = orac.example.com
>
> I don't think you need MAIN_TLS_ENABLE to to TLS as a client.
Tested this... looks like this is true. :-) Cool. [I'm pretty sure this
wasn't always the case, but I'm glad it is now.]
> > Modify /etc/exim4/exim4.conf.template for the remote_smtp_smarthost
> > to change the sending port to 587. (In the U.S. there are a lot of
> >
> > ISPs that block outbound port 25 except for the ISP's mail servers):
> > ...
> >
> > remote_smtp_smarthost:
> > debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
> > driver = smtp
> >
> > port = 587 # <--- add this line
> >
> > ...
>
> You can set sc_smarthost to hostname::587 without having to change the
> transport, see update-exim4.conf(8) or the debconf template for
> dc_smarthost.
Sweet. Thanks! This really helps because it means I can avoid having to
modify exim4.conf.template altogether, which will simplify upgrades.
> > Modify /etc/exim4/passwd.client to add a smarthost:username:password
> >
> > triplet for sending email:
> > smtp.example.com:Orac:SillyPassword
>
> That's what I'd want to be debconfed
Right.
> > On the mail server machine (i.e. smtp.example.com), make an MD5
> >
> > passowrd hash of the password used on the client machine via command:
> > #mkpasswd -H md5 SillyPassword
> > $1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1
> >
> > Then modify /etc/exim4/passwd on the server to add a
> >
> > username:hashed_passwd:passwd triplet for the client:
> > Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword
>
> You also can a more modern hash if the server is Debian exim as well.
The exim4_files(5) man page recommends MD5, which is why I was using it, and
thee README.Debian.gz document simply refers to this man page. However
crypt(3) indicates that sha-256 is supported too, so I tried it with Exim's
passwd file... sure enough, that works. ;-)
Thanks for letting me know about this.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
GPG Key: 4096R/0x1E759A726A9FDD74
Attachment:
signature.asc
Description: This is a digitally signed message part.