On Friday, May 31, 2013 07:15:36, Marc Haber wrote:
> On Thu, 30 May 2013 19:51:04 -0400, Chris Knadle
>
> <Chris.Knadle@coredump.us> wrote:
> >For Exim, the one thing I would want to change would be to ship a
> >configuration that by default created an SSL certificate and enabled
> >MAIN_TLS_ENABLE to enable TLS SMTP transfers.
>
> For e-mail coming in from other clients, with the local exim acting as
> a server?
Interesting possibility, but no that's not what I had in mind.
> Certificates are usually only used in E-Mail when a server
> authenticates itself to a client before the client sends its
> authentication data.
Yes, you're right. After I had pointed out the existence of Section 2.2 in
/usr/share/doc/exim4-base/README.Debian.gz I re-read it, and it points out
that the SSL certificates are only required for TLS when Exim is acting as a
server, and are _not_ necessary when Exim is passing along email as a client
to another MTA.
> SMTP with client certificates is possible, but I
> have only seen this two times in 15 years of running E-Mail servers.
Yes I'd expect this to be rare, and I can't recall using them for SMTP.
> > [The Postfix package in Debian >does this.] There's documentation and
> > help for doing this for Exim in/usr/share/doc/exim4-base/README.Debian.gz
> > in Section 2.2 though, and so I suspect there's a _reason_ why this isn't
> > the default.
>
> Noone has yet written code to do that, and volunteered to document and
> support it.
>
> Personally, I think that before we improve Exim's packaging in Debian
> to be an SMTP server, we should first make it easiert to use Exim as a
> client with a smart host, thus debconfing the username/password and
> authentication scheme. Noone has volunteered to write that code,
> either.
I can understand why one would want this, but I can also understand why it
hasn't been done. Without first setting up TLS, this would involve passing a
username/password over the 'net in the clear, which is something I try hard to
never ever have happen. This is especially something you don't want to do if
it's your own personal email login, which is a likely use case for this
proposed debconf code. :-/
I'll list the steps _I_ take for setting up an Exim4 client (now that I've
finally formally documented them for myself). This enables TLS, sets
primary_hostname to set the full FQDN for the HELO greeting sent, and sends
email to a smarthost with destination port 587 via SMTP AUTH.
In this example, the FQDN of the local machine is orac.example.com
and the smarthost machine is smtp.example.com
Create new file /etc/exim4/exim4.conf.localmacros containing:
MAIN_TLS_ENABLE = true
primary_hostname = orac.example.com
Modify /etc/exim4/exim4.conf.template for the remote_smtp_smarthost
to change the sending port to 587. (In the U.S. there are a lot of
ISPs that block outbound port 25 except for the ISP's mail servers):
...
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
port = 587 # <--- add this line
...
Run '/etc/init.d/exim4 reload' to pull in the new configuration
Modify /etc/exim4/passwd.client to add a smarthost:username:password
triplet for sending email:
smtp.example.com:Orac:SillyPassword
On the mail server machine (i.e. smtp.example.com), make an MD5
passowrd hash of the password used on the client machine via command:
#mkpasswd -H md5 SillyPassword
$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1
Then modify /etc/exim4/passwd on the server to add a
username:hashed_passwd:passwd triplet for the client:
Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword
As I mentioned previously, the reason I go through making a new
username/password pair for each client is so that I don't risk a personal
email account, and so that I can revoke any one machine's email login at the
server in case of a client compromise of some kind. [It's never happened, but
I try to plan for it anyway.]
> >> This wiki page has a nice summary http://wiki.debian.org/DefaultMTA
> >
> >I think the negative point of "Support community limited outside of
> >Debian" is untrue. The exim-users@exim.org mailing list is very active
> >and responsive, and Exim has become the most popular MTA since sometime
> >in 2008.
>
> Agreed, but exim's development speed has considerably slowed down
> since Philip Hazel retired. The exim community is still alive, but I'd
> say it's in limbo. Which is a real shame.
I know what you mean -- the community has slowed a bit, but I don't
(personally) feel that it's gotten down to "limbo", because there are people
still supporting the code and making new features and improvements.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
GPG Key: 4096R/0x1E759A726A9FDD74
Attachment:
signature.asc
Description: This is a digitally signed message part.