[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Getting both TLS and SSL working for exim4 smtp.

I have an exim4-daemon-heavy server running (split config) on stable.
The server listens on port 25 and (I believe) is working fine with TLS. Put it this way - I and my parents can all connect with TLS turned on in thunderbird. 

I followed a lot of the info from

http://www.debian-administration.org/articles/280

to get here.
I do have the exim.crt and exim.key in /etc/exim4 - generated using the script suggested in the article. 

In conf.d/main/01_exim4-config_listmacrosdefs_local I have

MAIN_TLS_ENABLE = true

In conf.d/auth/30_exim_config I have

plain_server:
  driver = plaintext
  public_name = PLAIN
server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2} lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" 
  server_set_id = $2
  server_prompts = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

login_server:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1} lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" 
  server_set_id = $1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif
Now - I am trying to get my phone to play ball. It simply gives a "Unknown error" for TLS (it prompts to accept the cert since its self- signed). 

In the exim4 server log I see
2006-11-08 20:35:27 TLS recv error on connection from dhcp57.home.chrissearle.org [192.168.1.57]: A TLS fatal alert has been received.: Bad record MAC 2006-11-08 20:35:27 TLS send error on connection from dhcp57.home.chrissearle.org [192.168.1.57]: The specified session has been invalidated for some reason.
So - I'd like to try the SSL option. This wants to talk to port 465. exim4 is only listening to 25.
So - I added the following to the conf.d/main/02_exim4-config_options file 

tls_on_connect_ports = 465
daemon_smtp_ports = 25 : 465

Now exim4 is listening on port 465
Connecting in the client - yes - it asked me to approve the (self- cert) certificate. But then I get "Secure session failed" again. 

In the exim4 server log I see
2006-11-08 20:53:42 TLS recv error on connection from dhcp57.home.chrissearle.org [192.168.1.57]: A TLS fatal alert has been received.: Bad record MAC 2006-11-08 20:53:42 TLS send error on connection from dhcp57.home.chrissearle.org [192.168.1.57]: The specified session has been invalidated for some reason. 

Of course - the phone gives zero logging possibilites.
Note that the phone can successfully send via TLS to googlemail - so it should support TLS just fine. 

Chris
debian-user@chrissearle.org
Reply to: