Getting both TLS and SSL working for exim4 smtp.
I have an exim4-daemon-heavy server running (split config) on stable.
The server listens on port 25 and (I believe) is working fine with
TLS. Put it this way - I and my parents can all connect with TLS
turned on in thunderbird.
I followed a lot of the info from
http://www.debian-administration.org/articles/280
to get here.
I do have the exim.crt and exim.key in /etc/exim4 - generated using
the script suggested in the article.
In conf.d/main/01_exim4-config_listmacrosdefs_local I have
MAIN_TLS_ENABLE = true
In conf.d/auth/30_exim_config I have
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}
lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
login_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}
lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Now - I am trying to get my phone to play ball. It simply gives a
"Unknown error" for TLS (it prompts to accept the cert since its self-
signed).
In the exim4 server log I see
2006-11-08 20:35:27 TLS recv error on connection from
dhcp57.home.chrissearle.org [192.168.1.57]: A TLS fatal alert has
been received.: Bad record MAC
2006-11-08 20:35:27 TLS send error on connection from
dhcp57.home.chrissearle.org [192.168.1.57]: The specified session has
been invalidated for some reason.
So - I'd like to try the SSL option. This wants to talk to port 465.
exim4 is only listening to 25.
So - I added the following to the conf.d/main/02_exim4-config_options
file
tls_on_connect_ports = 465
daemon_smtp_ports = 25 : 465
Now exim4 is listening on port 465
Connecting in the client - yes - it asked me to approve the (self-
cert) certificate. But then I get "Secure session failed" again.
In the exim4 server log I see
2006-11-08 20:53:42 TLS recv error on connection from
dhcp57.home.chrissearle.org [192.168.1.57]: A TLS fatal alert has
been received.: Bad record MAC
2006-11-08 20:53:42 TLS send error on connection from
dhcp57.home.chrissearle.org [192.168.1.57]: The specified session has
been invalidated for some reason.
Of course - the phone gives zero logging possibilites.
Note that the phone can successfully send via TLS to googlemail - so
it should support TLS just fine.
Chris
debian-user@chrissearle.org
Reply to: