Re: TLS and Exim on Sarge

To: debian-user@lists.debian.org
Subject: Re: TLS and Exim on Sarge
From: Mark Roach <mrroach@okmaybe.com>
Date: 13 Feb 2003 10:28:31 -0500
Message-id: <[🔎] 1045150110.17628.17.camel@flmrroach>
In-reply-to: <[🔎] 1045057525.11703.26.camel@rhino>
References: <[🔎] 1045057525.11703.26.camel@rhino>

On Wed, 2003-02-12 at 08:45, Craig Jackson wrote: 
> This is an exim question but I post it to this group because it is
> installed from a testing Debian package on Sarge. It starts with the
> script in /etc/init.d. I had exim installed then decided I wanted
> exim-tls and installed that. Please can anyone tell me how to start exim
> with tls support. When I try to connect with telnet, I get this error:
> 
>  <rhino IP-TRACKING 0>$ telnet myip 465
> Trying myip ...
> telnet: Unable to connect to remote host: Connection refused

port 465 is not what is used for tls. Port 465 is for ssmtp. The
difference is that with ssmtp, the socket connection itself uses ssl,
and normal communications take place over that socket. With tls, a
normal port 25 connection is made, and encrypted communications take
place within that connection.

TLS is standardized whereas ssmtp is more of an ad-hoc standard. From my
readings on the exim mailing lists, I don't believe the developers have
any intention of supporting ssmtp. Instead, you can use stunnel. I added
the stunnel startup within my /etc/init.d/exim (I probably should have
put it in a separate script, but this Works For Me)

I added
STUNNEL=/usr/sbin/stunnel

to the beginning of the file. And put this in the "start)" section

    start-stop-daemon --start --exec $STUNNEL -- -d 465 -l $DAEMON \
                            -p /etc/exim/okmaybe.com.stunnel -- \
                            exim -bs -DMUSTAUTH=127.0.0.1

and in the "stop)" section:
    start-stop-daemon --stop --oknodo --exec $STUNNEL

then, (VERY IMPORTANT) add the line
auth_hosts = MUSTAUTH

to your /etc/exim/exim.conf the reason for this is that all port 465
connections will appear to originate from 127.0.0.1 and unless you force
authentication, you will have an open relay.

Of course, this means that you have to have authentication setup, but
there should be plenty in the archives on how to take care of that.

Someone else on this list may be able to suggest a way to disable relay
without requiring authentication, but I at least know that this works.

Now, with all that said, you are probably better off to just use
application level encryption such as pgp/smime ;-)

-Mark

Reply to:

References:
- TLS and Exim on Sarge
  - From: Craig Jackson <craig.jackson@wild.net>

Prev by Date: Re: [solved] Using of RedHat drivers in Debian
Next by Date: problems with netjuke, mp3s, and xmms
Previous by thread: Re: TLS and Exim on Sarge
Next by thread: ide-scsi cdparanoia permissions
Index(es):
- Date
- Thread