[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

exim4 und TLS

Hallo ihr SMPT- pezis!
Nach dem es mir mit eurer Hilfe [s. exim4, dovecot und thunderbird] gelungen ist
mit Thunderbird auf die System-Mails zu zugreifen wollte ich nun versuchen auch
andere Emails zu empfangen. Im Heimnetzwerk klappt(e) das auch problemlos über 
Port 25. Da aber auch Emails von außen angenommen werden sollen, habe ich ver-
sucht das ganze auf Port 465 und STARTTLS umzustellen und bin kläglich ge-
scheitert!
Das mehrtägiges googlen hat mich der Lösung zwar näher gebracht aber das Ziel
ist - für mich - noch nicht in Sicht. Ich hoffe auf eure Hilfe

Aktueller Status von exim4 [4.84.2-1]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# service exim4 status
o exim4.service - LSB: exim Mail Transport Agent
   Loaded: loaded (/etc/init.d/exim4)
   Active: active (running) since So 2016-04-17 09:56:41 CEST; 11ms ago
  Process: 1768 ExecStop=/etc/init.d/exim4 stop (code=exited, status=0/SUCCESS)
  Process: 1779 ExecStart=/etc/init.d/exim4 start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/exim4.service
           +-2030 /usr/sbin/exim4 -bd -q30m
           +-2031 /usr/sbin/exim4 -q

Apr 17 09:56:41 ct-Server exim4[1779]: Starting MTA: exim4.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Versuch eines Verbindungsaufbau
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# telnet myhost.dyndns.org 465
Trying 84.130.x.xx2...
Connected to myhost.dyndns.org.
Escape character is '^]'.
220 ct-Server.myhost.dyndns.org ESMTP Exim 4.84_2 Sun, 17 Apr 2016 09:57:34 +0200
EHLO myhost.dyndns.org
250-ct-Server.myhost.dyndns.org Hello p54820884.dip0.t-ipconnect.de [84.130.x.xx2]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead
EHLO myhost.dyndns.org
Connection closed by foreign host.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Der Eintrag dazu in der /var/log/exim4/mainlog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2016-04-17 09:59:24 TLS error on connection from p54820884.dip0.t-ipconnect.de (myhost.dyndns.org) [84.130.x.xx2] (gnutls_handshake): An unexpected TLS packet was received.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Prüfung der Konfiguration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# exim -C /var/lib/exim4/config.autogenerated -bV
Exim version 4.84_2 #2 built 13-Mar-2016 17:47:19
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Prüfung der Zertifikate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9#~# openssl x509 -noout -text -in /etc/exim4/exim.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10802394886874817666 (0x95e9d0ea83ab6482)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=NDS, CN=myhost.dyndns.org
        Validity
            Not Before: Apr 16 17:48:48 2016 GMT
            Not After : Apr 16 17:48:48 2019 GMT
        Subject: C=DE, ST=NDS, CN=myhost.dyndns.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:.....................
#~# openssl rsa -noout -text -in /etc/exim4/exim.key
Private-Key: (2048 bit)
modulus:
    00:.....................
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Die Berechtigungen im Verzeichnis /etc/exim4/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5#~# dir /etc/exim4/
insgesamt 124
drwxr-xr-x   3 root root         4096 2016-04-17 09:55 .
drwxr-xr-x 124 root root        12288 2016-04-15 09:11 ..
drwxr-xr-x   9 root root         4096 2016-01-12 16:54 conf.d
-rw-r--r--   1 root root          162 2016-04-17 10:50 exim4.conf.localmacros
-rw-r--r--   1 root root        77382 2016-04-16 19:05 exim4.conf.template
-rw-r-----   1 root Debian-exim  1082 2016-04-16 19:48 exim.crt
-rw-r-----   1 root Debian-exim  1704 2016-04-16 19:48 exim.key
-rw-r-----   1 root Debian-exim   104 2016-04-17 10:50 passwd
-rw-r-----   1 root Debian-exim   204 2015-02-17 18:01 passwd.client
-rw-r--r--   1 root root         1116 2016-04-16 18:29 update-exim4.conf.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Der Versuch per openssl scheitert
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# openssl s_client -connect 192.168.xxx.xx3:456
connect: Connection refused
connect:errno=111
#~# openssl s_client -connect myhost.dyndns.org:456
connect: No route to host
connect:errno=113
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

obwohl wohl doch eine Route zum Host besteht (/var/log/mail.log)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: auth client connected (pid=26006)
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: auth client connected (pid=26008)
Apr 17 11:42:52 ct-Server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=81.3.14.22, lip=192.168.xxx.xx3, session=<ot5gEaswgwBRAw4W>
Apr 17 11:42:52 ct-Server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=81.3.14.22, lip=192.168.xxx.xx3, session=<P+dgEaswowBRAw4W>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ein Versuch mit swaks:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# swaks -tlsc -s myhost.dyndns.org -q EHLO -p 465
=== Trying myhost.dyndns.org:465...
=== Connected to myhost.dyndns.org.
*** TLS startup failed (connect(): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
#~# swaks -tlsc -s 192.168.xxx.xx3 -q EHLO -p 465
=== Trying 192.168.xxx.xx3:465...
=== Connected to 192.168.xxx.xx3.
*** TLS startup failed (connect(): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Und zu guter letzt dies:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# exim -bP
accept_8bitmime
acl_not_smtp = 
acl_not_smtp_start = 
acl_smtp_auth = 
acl_smtp_connect = 
acl_smtp_data = acl_check_data
acl_smtp_data_prdr = 
acl_smtp_dkim = 
acl_smtp_etrn = 
acl_smtp_expn = 
acl_smtp_helo = 
acl_smtp_mail = acl_check_mail
acl_smtp_mailauth = 
acl_smtp_notquit = 
acl_smtp_predata = 
acl_smtp_quit = 
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_starttls = 
acl_smtp_vrfy = 
add_environment = 
admin_groups =
no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = *
auto_thaw = 0s
bi_command = 
bounce_message_file = 
bounce_message_text = 
bounce_return_body
bounce_return_message
bounce_return_size_limit = 100K
bounce_sender_authentication = 
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 0
check_log_space = 0
check_rfc2047_length
check_spool_inodes = 0
check_spool_space = 0
daemon_smtp_ports = smtp
daemon_startup_retries = 9
daemon_startup_sleep = 30s
delay_warning = 1d
delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
no_deliver_drop_privilege
deliver_queue_load_max =
delivery_date_remove
no_disable_ipv6
dkim_verify_signers = $dkim_signers
dns_again_means_nonexist = 
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
dns_csa_search_limit = 5
dns_csa_use_reverse
dns_dnssec_ok = -1
dns_ipv4_lookup = 
dns_retrans = 0s
dns_retry = 0
dns_use_edns0 = -1
no_drop_cr
dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
envelope_to_remove
errors_copy = 
errors_reply_to = 
exim_group = Debian-exim
exim_path = /usr/sbin/exim4
exim_user = Debian-exim
extra_local_interfaces = 
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell = postmaster
gecos_name = $1
gecos_pattern = ^([^,:]*)
no_gnutls_allow_auto_pkcs11
no_gnutls_compat_mode
gnutls_require_kx = 
gnutls_require_mac = 
gnutls_require_protocols = 
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = UTF-8
helo_accept_junk_hosts = 
helo_allow_chars = 
helo_lookup_domains = @ : @[]
helo_try_verify_hosts = 
helo_verify_hosts = 
hold_domains = 
host_lookup = *
host_lookup_order = bydns:byaddr
host_reject_connection = 
hosts_connection_nolog = 
hosts_treat_as_local = 
ignore_bounce_errors_after = 2d
ignore_fromline_hosts = 
no_ignore_fromline_local
keep_environment = 
keep_malformed = 4d
no_local_from_check
local_from_prefix = 
local_from_suffix = 
local_interfaces = <; 127.0.0.1.25 ; ::1.25 ; 0.0.0.0.465
local_scan_path = 
local_scan_timeout = 5m
local_sender_retain
localhost_number = 
log_file_path = /var/log/exim4/%slog
log_selector = +tls_peerdn
no_log_timezone
lookup_open_max = 25
max_username_length = 0
no_message_body_newlines
message_body_visible = 500
message_id_header_domain = 
message_id_header_text = 
message_logs
message_size_limit = 50M
no_move_frozen_messages
no_mua_wrapper
never_users =
openssl_options = 
percent_hack_domains = 
pid_file_path = /var/run/exim4/exim.pid
pipelining_advertise_hosts = *
no_prdr_enable
no_preserve_message_logs
primary_hostname = ct-Server.myhost.dyndns.org
no_print_topbitchars
process_log_path = /var/spool/exim4/exim-process.info
prod_requires_admin
qualify_domain = myhost.dyndns.org
qualify_recipient = myhost.dyndns.org
queue_domains = 
queue_list_requires_admin
no_queue_only
queue_only_file = 
queue_only_load =
queue_only_load_latch
queue_only_override
no_queue_run_in_order
queue_run_max = 5
queue_smtp_domains = 
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}
received_headers_max = 30
recipient_unqualified_hosts = 
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
remote_sort_domains = 
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = *
rfc1413_query_timeout = 5s
sender_unqualified_hosts = 
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 1000
smtp_accept_max_per_host = 
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_active_hostname = 
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
smtp_enforce_sync
smtp_etrn_command = 
smtp_etrn_serialize
smtp_load_reserve =
smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 3
smtp_ratelimit_hosts = 
smtp_ratelimit_mail = 
smtp_ratelimit_rcpt = 
smtp_receive_timeout = 5m
smtp_reserve_hosts = 
no_smtp_return_error_details
no_split_spool_directory
spool_directory = /var/spool/exim4
no_strict_acl_vars
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_facility = 
syslog_processname = exim
syslog_timestamp
system_filter = 
system_filter_directory_transport = 
system_filter_file_transport = 
system_filter_group = 
system_filter_pipe_transport = 
system_filter_reply_transport = 
system_filter_user = 
tcp_nodelay
timeout_frozen_after = 1w
timezone = 
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_crl = 
tls_dh_max_bits = 2236
tls_dhparam = 
tls_ocsp_file = 
tls_on_connect_ports = 
tls_privatekey = /etc/exim4/exim.key
no_tls_remember_esmtp
tls_require_ciphers = 
tls_try_verify_hosts = 
tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
tls_verify_hosts = 
trusted_groups =
trusted_users = uucp
unknown_login = 
unknown_username = 
untrusted_set_sender = *
uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
warn_message_file = 
write_rejectlog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hoffentlich nicht zu viele Infos auf einmal(?)!

-- 
Gruß aus der Stadt der CeBIT
Jochen
Reply to: