We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Exim and TLS
Exim and TLS
Hi,
Seems that exim is not configured by default to use TLS auth.
I followed this guide (found here) : http://support.eidolonhost.com/wiki/Ves ... re_VestaCP
Here's my exim.conf
I Thought using this default conf exim was using tls, but no
But in the two case, TLS doesn't work.
Any idea about what I missed ?
Thanks
Seems that exim is not configured by default to use TLS auth.
I followed this guide (found here) : http://support.eidolonhost.com/wiki/Ves ... re_VestaCP
Here's my exim.conf
Code: Select all
#default conf
#tls_advertise_hosts = *
#tls_certificate = /etc/pki/tls/certs/exim.pem
#tls_privatekey = /etc/pki/tls/private/exim.pem
Code: Select all
#config test TLS
tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
Any idea about what I missed ?
Thanks
Re: Exim and TLS
Have your verified that the .crt and .key files are both at the stated locations?Colb wrote:Hi,
Seems that exim is not configured by default to use TLS auth.
I followed this guide (found here) : http://support.eidolonhost.com/wiki/Ves ... re_VestaCP
Here's my exim.conf
I Thought using this default conf exim was using tls, but noCode: Select all
#default conf #tls_advertise_hosts = * #tls_certificate = /etc/pki/tls/certs/exim.pem #tls_privatekey = /etc/pki/tls/private/exim.pem
But in the two case, TLS doesn't work.Code: Select all
#config test TLS tls_advertise_hosts = * tls_certificate = /usr/local/vesta/ssl/certificate.crt tls_privatekey = /usr/local/vesta/ssl/certificate.key
Any idea about what I missed ?
Thanks
As I know when I did it the path was entirely different on CentOS. If the files
are not there, or not the correct ones it won't work.
Reference topic:
viewtopic.php?f=10&t=4304&start=10
Re: Exim and TLS
I have the same Problem with exim4. The certificate and key are on right place, but TLS is still not working.
Guys, have anyone a solution for this problem. Is there anything I can try to make TLS work?
Guys, have anyone a solution for this problem. Is there anything I can try to make TLS work?
Re: Exim and TLS
@jhewit : I followed the reference topic before posting, but it changes nothing. I think i missed something...
The .crt and .key files are indeed in the same location.
The .crt and .key files are indeed in the same location.
-
- Posts: 1
- Joined: Tue Feb 18, 2014 12:30 pm
Re: Exim and TLS
Check permissions on the certificate and key file. They need to be accessible to Exim.
I have SSL working and the perms are -rw-r----- 1 root Debian-exim for both and are stored in /etc/ssl/private/
Also, have you restarted exim?
I have SSL working and the perms are -rw-r----- 1 root Debian-exim for both and are stored in /etc/ssl/private/
Also, have you restarted exim?
Re: Exim and TLS
I also have this same trouble (not being able to enable TLS for Exim) and have seen said guide mentioned several times at the forums - but alas it is offline now. Does anyone have an alternative link for it? Or be willing to walk a noob through this?Colb wrote: I followed this guide (found here) : http://support.eidolonhost.com/wiki/Ves ... re_VestaCP
For starters, I don't know if I should use the certificates found at /usr/local/vesta/ssl or replace them with others. I'm utterly lost and really really need to setup email.
Re: Exim and TLS
Here's what I did to accomplish the following:
For Ubuntu 14.03
if you have your own certificate and key, then change the lines to point to the appropriate files (key and certificate).
TLS/SSL will be forced, but plaintext auth is still allowed, but since it's over TLS/SSL, it's ok.
edit the following lines to point to certificate and key for your server
add this line to prevent plaintext authentication unless there is secured access:
add to end of file (port 0 disables port) to disable unsecure POP3.
http://www.emailsecuritygrader.com/ good link to test mail server security
For Ubuntu 14.03
- 1. Use custom TLS/SSL certs for SMTP:
Code: Select all
nano /etc/exim4/exim4.conf.template
Code: Select all
tls_advertise_hosts = *
tls_certificate = /path/to/certificate.crt
tls_privatekey = /path/to/key.key
Code: Select all
service exim4 restart
- 2. Force TLS/SSL login for IMAP
Code: Select all
nano/etc/dovecot/conf.d/10-ssl.conf
Code: Select all
ssl_cert = </path/to/customcert.crt
ssl_key = </path.to/customkey.key
Code: Select all
disable_plaintext_auth=yes
Code: Select all
service dovecot restart
- 3. POP3
Code: Select all
nano /etc/dovecot/dovecot.conf
Code: Select all
# configure pop3-proxy
# added to disable port 110 for unsecure pop3
service pop3-login {
inet_listener pop3 {
port = 0
}
}
Re: Exim and TLS
Thanks for the info on this thread, v useful - I had the same requirement to ensure that any auth/password sending was over SSL.
I think one thing may be incomplete, though; in exim4.conf.template you suggest:
From what I can tell, this accepts TLS connections, but does not explicitly require them. I was certainly able to still send mail over 587 (and maybe 25) with no TLS. After hunting around, I also had to add:
Which seems to work. Good call on the dovecot config - I just disabled port 110 in the firewall :P
I think one thing may be incomplete, though; in exim4.conf.template you suggest:
Code: Select all
tls_advertise_hosts = *
tls_certificate = /path/to/certificate.crt
tls_privatekey = /path/to/key.key
Code: Select all
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
Re: Exim and TLS
Hi,
Does it work if you have several mail domains ?
Do you have anything to modify ?
thanks for your help
J
Does it work if you have several mail domains ?
Do you have anything to modify ?
thanks for your help
J