Page 1 of 1
Exim and TLS
Posted: Tue Jan 28, 2014 1:31 am
by Colb
Hi,
Seems that exim is not configured by default to use TLS auth.
I followed this guide (found here) :
http://support.eidolonhost.com/wiki/Ves ... re_VestaCP
Here's my exim.conf
Code: Select all
#default conf
#tls_advertise_hosts = *
#tls_certificate = /etc/pki/tls/certs/exim.pem
#tls_privatekey = /etc/pki/tls/private/exim.pem
I Thought using this default conf exim was using tls, but no
Code: Select all
#config test TLS
tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
But in the two case, TLS doesn't work.
Any idea about what I missed ?
Thanks
Re: Exim and TLS
Posted: Tue Jan 28, 2014 5:39 am
by jhewit
Colb wrote:Hi,
Seems that exim is not configured by default to use TLS auth.
I followed this guide (found here) :
http://support.eidolonhost.com/wiki/Ves ... re_VestaCP
Here's my exim.conf
Code: Select all
#default conf
#tls_advertise_hosts = *
#tls_certificate = /etc/pki/tls/certs/exim.pem
#tls_privatekey = /etc/pki/tls/private/exim.pem
I Thought using this default conf exim was using tls, but no
Code: Select all
#config test TLS
tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
But in the two case, TLS doesn't work.
Any idea about what I missed ?
Thanks
Have your verified that the .crt and .key files are both at the stated locations?
As I know when I did it the path was entirely different on CentOS. If the files
are not there, or not the correct ones it won't work.
Reference topic:
viewtopic.php?f=10&t=4304&start=10
Re: Exim and TLS
Posted: Sat Feb 08, 2014 7:43 pm
by webver
I have the same Problem with exim4. The certificate and key are on right place, but TLS is still not working.
Guys, have anyone a solution for this problem. Is there anything I can try to make TLS work?
Re: Exim and TLS
Posted: Sat Feb 08, 2014 8:54 pm
by Colb
@jhewit : I followed the reference topic before posting, but it changes nothing. I think i missed something...
The .crt and .key files are indeed in the same location.
Re: Exim and TLS
Posted: Tue Feb 18, 2014 12:35 pm
by adamprickett
Check permissions on the certificate and key file. They need to be accessible to Exim.
I have SSL working and the perms are -rw-r----- 1 root Debian-exim for both and are stored in /etc/ssl/private/
Also, have you restarted exim?
Re: Exim and TLS
Posted: Wed Apr 16, 2014 11:23 pm
by delafuzz
I also have this same trouble (not being able to enable TLS for Exim) and have seen said guide mentioned several times at the forums - but alas it is offline now. Does anyone have an alternative link for it? Or be willing to walk a noob through this?
For starters, I don't know if I should use the certificates found at /usr/local/vesta/ssl or replace them with others. I'm utterly lost and really really need to setup email.
Re: Exim and TLS
Posted: Sat Sep 27, 2014 6:31 pm
by skinniyah
Here's what I did to accomplish the following:
For Ubuntu 14.03
- 1. Use custom TLS/SSL certs for SMTP:
Code: Select all
nano /etc/exim4/exim4.conf.template
if you have your own certificate and key, then change the lines to point to the appropriate files (key and certificate).
Code: Select all
tls_advertise_hosts = *
tls_certificate = /path/to/certificate.crt
tls_privatekey = /path/to/key.key
TLS/SSL will be forced, but plaintext auth is still allowed, but since it's over TLS/SSL, it's ok.
- 2. Force TLS/SSL login for IMAP
Code: Select all
nano/etc/dovecot/conf.d/10-ssl.conf
edit the following lines to point to certificate and key for your server
Code: Select all
ssl_cert = </path/to/customcert.crt
ssl_key = </path.to/customkey.key
add this line to prevent plaintext authentication unless there is secured access:
Things will be more secure if you prevent access to unsecure POP3 and allow only POP3s
add to end of file (port 0 disables port) to disable unsecure POP3.
Code: Select all
# configure pop3-proxy
# added to disable port 110 for unsecure pop3
service pop3-login {
inet_listener pop3 {
port = 0
}
}
good link to test mail server security
Re: Exim and TLS
Posted: Thu Oct 30, 2014 6:36 pm
by GuzziGuy
Thanks for the info on this thread, v useful - I had the same requirement to ensure that any auth/password sending was over SSL.
I think one thing may be incomplete, though; in exim4.conf.template you suggest:
Code: Select all
tls_advertise_hosts = *
tls_certificate = /path/to/certificate.crt
tls_privatekey = /path/to/key.key
From what I can tell, this accepts TLS connections, but does not explicitly require them. I was certainly able to still send mail over 587 (and maybe 25) with no TLS. After hunting around, I also had to add:
Code: Select all
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
Which seems to work. Good call on the dovecot config - I just disabled port 110 in the firewall :P
Re: Exim and TLS
Posted: Sun Feb 08, 2015 5:36 pm
by mephivio
Hi,
Does it work if you have several mail domains ?
Do you have anything to modify ?
thanks for your help
J