On Friday, May 31, 2013 07:15:36, Marc Haber wrote: > On Thu, 30 May 2013 19:51:04 -0400, Chris Knadle > > <Chris.Knadle@coredump.us> wrote: > >For Exim, the one thing I would want to change would be to ship a > >configuration that by default created an SSL certificate and enabled > >MAIN_TLS_ENABLE to enable TLS SMTP transfers. > > For e-mail coming in from other clients, with the local exim acting as > a server? Interesting possibility, but no that's not what I had in mind. > Certificates are usually only used in E-Mail when a server > authenticates itself to a client before the client sends its > authentication data. Yes, you're right. After I had pointed out the existence of Section 2.2 in /usr/share/doc/exim4-base/README.Debian.gz I re-read it, and it points out that the SSL certificates are only required for TLS when Exim is acting as a server, and are _not_ necessary when Exim is passing along email as a client to another MTA. > SMTP with client certificates is possible, but I > have only seen this two times in 15 years of running E-Mail servers. Yes I'd expect this to be rare, and I can't recall using them for SMTP. > > [The Postfix package in Debian >does this.] There's documentation and > > help for doing this for Exim in/usr/share/doc/exim4-base/README.Debian.gz > > in Section 2.2 though, and so I suspect there's a _reason_ why this isn't > > the default. > > Noone has yet written code to do that, and volunteered to document and > support it. > > Personally, I think that before we improve Exim's packaging in Debian > to be an SMTP server, we should first make it easiert to use Exim as a > client with a smart host, thus debconfing the username/password and > authentication scheme. Noone has volunteered to write that code, > either. I can understand why one would want this, but I can also understand why it hasn't been done. Without first setting up TLS, this would involve passing a username/password over the 'net in the clear, which is something I try hard to never ever have happen. This is especially something you don't want to do if it's your own personal email login, which is a likely use case for this proposed debconf code. :-/ I'll list the steps _I_ take for setting up an Exim4 client (now that I've finally formally documented them for myself). This enables TLS, sets primary_hostname to set the full FQDN for the HELO greeting sent, and sends email to a smarthost with destination port 587 via SMTP AUTH. In this example, the FQDN of the local machine is orac.example.com and the smarthost machine is smtp.example.com Create new file /etc/exim4/exim4.conf.localmacros containing: MAIN_TLS_ENABLE = true primary_hostname = orac.example.com Modify /etc/exim4/exim4.conf.template for the remote_smtp_smarthost to change the sending port to 587. (In the U.S. there are a lot of ISPs that block outbound port 25 except for the ISP's mail servers): ... remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp port = 587 # <--- add this line ... Run '/etc/init.d/exim4 reload' to pull in the new configuration Modify /etc/exim4/passwd.client to add a smarthost:username:password triplet for sending email: smtp.example.com:Orac:SillyPassword On the mail server machine (i.e. smtp.example.com), make an MD5 passowrd hash of the password used on the client machine via command: #mkpasswd -H md5 SillyPassword $1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1 Then modify /etc/exim4/passwd on the server to add a username:hashed_passwd:passwd triplet for the client: Orac:$1$fUJ2RJ3J$1JvM9dutQs3dbM8DXts1H1:SillyPassword As I mentioned previously, the reason I go through making a new username/password pair for each client is so that I don't risk a personal email account, and so that I can revoke any one machine's email login at the server in case of a client compromise of some kind. [It's never happened, but I try to plan for it anyway.] > >> This wiki page has a nice summary http://wiki.debian.org/DefaultMTA > > > >I think the negative point of "Support community limited outside of > >Debian" is untrue. The exim-users@exim.org mailing list is very active > >and responsive, and Exim has become the most popular MTA since sometime > >in 2008. > > Agreed, but exim's development speed has considerably slowed down > since Philip Hazel retired. The exim community is still alive, but I'd > say it's in limbo. Which is a real shame. I know what you mean -- the community has slowed a bit, but I don't (personally) feel that it's gotten down to "limbo", because there are people still supporting the code and making new features and improvements. -- Chris -- Chris Knadle Chris.Knadle@coredump.us GPG Key: 4096R/0x1E759A726A9FDD74
Attachment:
signature.asc
Description: This is a digitally signed message part.