Re: [exim] TLS authentication
On 17/02/2023 04:18, Ian Zimmerman via Exim-users wrote: what is a "variable of type certificate" in exim's proudly unityped macro language? $tls_{in,out}_(our,peer)cert are all certificate-type variables. They are not useable as text, but can be used by a "certextract" expansion. The documentation Concept Index has an entry for "certificate", "variables". -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 08:18:46PM -0800, Ian Zimmerman via Exim-users wrote: > An excellent suggestion, thanks. I think I got stuck in this unproductive > (it seems) rut of authentication by verification because of two things: > > - not immediately obvious how to *compute* the checksum to match in > the first place. I don't expect it's just the checksum over the pem > file, is it? No, PEM is not suitably canonical, for that you'd want the ASN.1 DER form of the public key (or full certificate, whichever you prefer). > - the documentation for the md5 (and sha1) expansion operators is cryptic: > > If the string is a single variable of type certificate, returns the > MD5 hash fingerprint of the certificate. MD5 is deprecated, ideally Exim also support sha256 in the same role. The hash should be computed over the DER form. > what is a "variable of type certificate" in exim's proudly unityped > macro language? I am a Postfix maintainer, mostly lurking on this list, except when it comes to TLS-related or especially DANE-related issues. So can't answer anything about Exim variables. On the command-line, to extract the public key and/or certificate digests: # key digest $ openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | xxd -p -c32 # cert digest $ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -binary | xxd -p -c32 -- VIktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 09:29:20AM -0500, Viktor Dukhovni via Exim-users wrote: > On the other hand, much better to simply maintain an explicit table of > trusted client public keys and match these (by SHA256 fingerprint > perhaps). Use a lookup table to check whether the client is authorised > or not. An excellent suggestion, thanks. I think I got stuck in this unproductive (it seems) rut of authentication by verification because of two things: - not immediately obvious how to *compute* the checksum to match in the first place. I don't expect it's just the checksum over the pem file, is it? - the documentation for the md5 (and sha1) expansion operators is cryptic: If the string is a single variable of type certificate, returns the MD5 hash fingerprint of the certificate. what is a "variable of type certificate" in exim's proudly unityped macro language? -- Ian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 09:17:51PM +, Jeremy Harris via Exim-users wrote: > On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote: > > Some applications (want to) only accept client certificates issued by a > > dedicated non-public CA, which amounts to an authorisation server > > In exim usage that's a test on a certextract of the issuer of > $tls_in_peercert, either just in ACL or as part of the > serer_condition for an authenticator using the tls driver. > > For either, the TLS session has to have been accepted first. The problem is that any root CA can issue a subCA with any subject DN it wants. So just checking issuer names, and expecting these to uniquely identify a private dedicated CA is not "safe". There is no global X.500 namespace that ensures uniqueness of CA "distinguished names", they're just made up. So, if I can't bypass the system trust store, I would be more inclined to check the issuer public key, not the issuer DN. That said, an OpenSSL application can just set the environemt and get a non-default trust store location: https://www.openssl.org/docs/manmaster/man3/X509_get_default_cert_dir_env.html const char *X509_get_default_cert_dir_env(void); const char *X509_get_default_cert_file_env(void); Just set those enviroment variables (just between us friends, those are "SSL_CERT_DIR" and "SSL_CERT_FILE") to a directory and file that hold only the application-specific trust anchors, and the system trust store would no longer be loaded by default. This works for OpenSSL, can't speak to GnuTLS... -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote: Some applications (want to) only accept client certificates issued by a dedicated non-public CA, which amounts to an authorisation server In exim usage that's a test on a certextract of the issuer of $tls_in_peercert, either just in ACL or as part of the serer_condition for an authenticator using the tls driver. For either, the TLS session has to have been accepted first. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 09:44:55PM +0100, Heiko Schlittermann via Exim-users wrote: > > Is it at all possible with OpenSSL to stop the "system" location from > > being checked? If not, that seems to make the use of TLS for client > > authentication impossible because any certificate presented by > > e.g. Google will pass verification. Am I reading this correctly? > > IMHO it shouldn't be sufficient accept any client that just has a > verified certificate ("authenticated"). You should check, if the client > is "authorized", by checking required certificate attributes (issuer, > subject, …) > Some applications (want to) only accept client certificates issued by a dedicated non-public CA, which amounts to an authorisation server. If the CA gave you a cert, you're an authorised user of the application until the cert expires (or is revoked, if the server application has access to timely CRLs, ...) They drank the PKI coolaid. I don't recommend this design. Often simpler to just use a list of authorised public keys instead. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
Ian Zimmerman via Exim-users (Di 14 Feb 2023 01:40:52 CET): > With OpenSSL the certificates specified explicitly either by file or > directory are added to those given by the system default location. > > Is it at all possible with OpenSSL to stop the "system" location from > being checked? If not, that seems to make the use of TLS for client > authentication impossible because any certificate presented by > e.g. Google will pass verification. Am I reading this correctly? IMHO it shouldn't be sufficient accept any client that just has a verified certificate ("authenticated"). You should check, if the client is "authorized", by checking required certificate attributes (issuer, subject, …) Maybe I got you wrong. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On Mon, Feb 13, 2023 at 04:40:52PM -0800, Ian Zimmerman via Exim-users wrote: > With OpenSSL the certificates specified explicitly either by file or > directory are added to those given by the system default location. > > Is it at all possible with OpenSSL to stop the "system" location from > being checked? If not, that seems to make the use of TLS for client > authentication impossible because any certificate presented by > e.g. Google will pass verification. Am I reading this correctly? In principle, yes, it just requires not loading the default certificate store by not calling SSL_CTX_set_default_verify_paths(3). So if you want to permit only clients with trusted certificates signed by just your own CA, indeed you need to avoid loading the default cert store. On the other hand, much better to simply maintain an explicit table of trusted client public keys and match these (by SHA256 fingerprint perhaps). Use a lookup table to check whether the client is authorised or not. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On 14/02/2023 00:40, Ian Zimmerman via Exim-users wrote: Is it at all possible with OpenSSL to stop the "system" location from being checked? No. If not, that seems to make the use of TLS for client authentication impossible because any certificate presented by e.g. Google will pass verification. Am I reading this correctly? Please define your authentication requirements: exactly what do you want checked? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS Authentication Strength
On 2007-11-26 at 15:27 +, andylockran wrote: I'm setting up a cluster of servers for the PCI DSS and I've only got one vulnerability left - which is that SSL/TLS supports weak authentication in exim. (I managed to set SSLv2 to disabled on exim with the following line:) tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES Unfortunately, this does not set the authentication method to only suport HIGH Levels of encryption (128bit or above). I can't find any information about where this should be set.. and i know this line works as it manages to disable SSLv2. I've checked section 38 of the manual (and 38.4 specifically as I'm using openssl). One of the solutions may be to specify the particular encryption methods on this line - but does anyone know a way of implementing the HIGH:MEDIUM:LOW setting in a similar way to the following (from proftpd). TLSCipherSuite HIGH:MEDIUM:!ADH:!SSLv2 It's left-to-right, IIRC, and so adding SSLv3 later overrode the !MEDIUM. I use (but I'm not a cryptographer): tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!NULL:!DES:@STRENGTH Turn them all on, disable LOW, the EXPORT restricted ones, Anonymous DH, the NULL, the plain DES and then sort the remainer in strength order, so that the strongest one is preferred. Provided that your OS installs the OpenSSL man-pages, ciphers(1) should list the options available. Otherwise the current doc (as opposed to docs for your installed version) is at: http://www.openssl.org/docs/apps/ciphers.html Oh, cool, NULL is not included in ALL so my !NULL is sheer paranoia. I'll leave it there. :^) -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS Authentication at gmail failing
On Sat, 28 Oct 2006 15:39:15 +0200, Hadron Quark [EMAIL PROTECTED] wrote: This all sounds ridiculously difficult. I find it incredible that I cant reference smtp.gmail.com as normal email clients do. You can, and your HOWTO gets _this_ right: Simply use * and live with the fact that this might disclose your password to the wrong host. It _might_ help to deliver a message from the command line with /dev/null exim -d target.address and to send the debug output to a paste service. Beware that this output might contains your SMTP AUTH password, so you'd need to sanitize the output before posting. I have no idea what you are talking about. Thanks for your help, but it seems this is more trouble than its worth. A pity. So we are not able to improve our documentation or do find out what is going wrong on your system. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED] wrote: - Having Exim perform MUA-style 'client' functions is possible, but not as easy as a few 'box ticks' and filled-in blanks on a userland MUA. It is actually easy in Debian's exim4 packages, which the anonymous original poster is using, and it works for me. Additionally, the outdated and misleading HOWTO he uses miraculously fits his situation, so his exim should work fine. Unfortunately, he is not willing to help in finding the bug, and he is asking in the wrong forum. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
Marc Haber wrote: On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED] wrote: - Having Exim perform MUA-style 'client' functions is possible, but not as easy as a few 'box ticks' and filled-in blanks on a userland MUA. It is actually easy in Debian's exim4 packages, which the anonymous original poster is using, and it works for me. Despite being a user of 'other than..' I have read your docs, and I have to agree. - if that is what you are using, that is where you look, and what you need IS THERE. Additionally, the outdated and misleading HOWTO he uses miraculously fits his situation, so his exim should work fine. Unfortunately, he is not willing to help in finding the bug, and he is asking in the wrong forum. Greetings Marc I have no idea if just-released Ubunti 'Edgy' has, or has not used your work unaltered, but it DOES look as if he HAS changed the defaults. == I have modified none of them from the default Ubuntu Edgy install == I wonder if we have been trolled ;-) Bill Hacker -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
W B Hacker [EMAIL PROTECTED] writes: Hadron Quark wrote: *snip* largely circular discussion by now... I have no idea what you are talking about. Thanks for your help, but it seems this is more trouble than its worth. Even the wiki didnt work. Can we start over, please? Yes. Any help much appreciated. What sort of messages, besides the chron'ed reports mentioned, do you wish to get from your Linux box to the outside world? What cron reports? Are you referring to the exim log? See below. Does your Linux box, for example, support users other than yourself who need to send and receive mail? Mailing lists? A Wiki? Webforms? or what? There are many possibilities, some of them dirt-simple, but we are getting wrapped up in the details of the process before understanding the specifics of the need. I must admit to being a little confused by the previous reply which seemed to be getting into coding details about stuff I had never heard of. I will start again: I want exim4 configured to deliver email using a smarthost. A Gmail smarthost. This is one of the 3 or 4 main modes of exim it would appear so why this should be extremely complicated as suggested earlier is a surprise to me. I have: added the procmail_pipe to my config for local mail delivery : works fine. modified my passwd.client added port=587 to my config set the smarthost to be smtp.gmail.com in my config updated the config restarted the exim server if I bash: echo test | mail [EMAIL PROTECTED] I get this in my exim mainlog: 2006-10-28 19:52:40 1GdsMK-0004L8-6E = [EMAIL PROTECTED] U=hadron P=local S=333 2006-10-28 19:52:51 1GdsMK-0004L8-6E plain authenticator failed H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected y7sm962917ugc 2006-10-28 19:52:51 1GdsMK-0004L8-6E login authenticator failed H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected y7sm962917ugc 2006-10-28 19:52:51 1GdsMK-0004L8-6E ** [EMAIL PROTECTED] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:[EMAIL PROTECTED] SIZE=1367: host gmail-smtp.l.google.com [66.249.93.109]: 530 5.5.1 Authentication Required y7sm962917ugc 2006-10-28 19:53:01 1GdsMf-0004LJ-Me = R=1GdsMK-0004L8-6E U=Debian-exim P=local S=1285 2006-10-28 19:53:01 1GdsMK-0004L8-6E Completed I dont understand authenticators, I have modified none of them from the default Ubuntu Edgy install. I dont understand the errors above. Any pointer much appreciated. Bill -- -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
W B Hacker [EMAIL PROTECTED] writes: Hadron Quark wrote: W B Hacker [EMAIL PROTECTED] writes: Hadron Quark wrote: *snip* of. I will start again: I want exim4 configured to deliver email using a smarthost. A Gmail smarthost. You have (once again) skipped all the important stuff. i.e *what sort of mail* and *from whom* really matters here BECAUSE: I posted a line to generate a standard text mail to a gmail account via a smarthost. How can it be more clear? - Everything you have so far posted gives me a 'strong suspicion' that you are trying to use Exim, a 'Message Transfer Agent', or MTA, when all you really need is a 'Message User Agent', or MUA. This is getting ridiculous. Where do you get me using it as an MUA come from. I have said I want it to operate delivering via a smarthost. I am using it as an MTA. Normally I use (as stated before) smtpmail.el in gnus as my MUA. However, I use exim4 to involve procmail for LOCAL mail (e.g cron jobs sending an email) delivery and I want it to also talk to GMAIL SMTP server in smarthost mode since I have a dynamic IP and I cant deliver external mails from a local smtp server (blacklisted IP blocks from my ISP). I really don't see how this can be clearer. - Having Exim perform MUA-style 'client' functions is possible, but not as easy as a few 'box ticks' and filled-in blanks on a userland MUA. I'm sorry. I dont understand. Did you read the howto link I posted? Again - I followed the following wiki (and read the docs), and the errors I get I posted in the previous post. Can you decipher them and tell me what is wrong? Clearly exim DOES talk to smtp.gmail.com but for some reason authentication is not being done or recognised. The error messages make that clear. http://wiki.debian.org/GmailAndExim4 This is one of the 3 or 4 main modes of exim it would appear so why this should be extremely complicated as suggested earlier is a surprise to me. It is complicated only because; You also have to configure for a great many things that it appears you do not need and may not use. Ever. Lets not worry about them. There are sensible defaults. All I want is smarthost via gmail and local delivery via procmail - the later is done. The former is not working : the error messages are posted in the previous posts. Authentication is NOT being performed properly. It is a bit like deciding to build a private freight train to carry a loaf of bread home when a simple train *ticket* might be less hassle. No. I just want exim4 to deliver via a smart host. As you haven't studied smtp in general or Exim in particular, you really should expect to do a great deal of reading. I did. Did you read the wiki I posted a link to? Not trying to put you off - it is worthwhile learning. But it doesn't come without time invested. Did you read the error messages? Do they mean anything to you? Even I can tell people to read the manuals. Can you help? -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
Marc Haber [EMAIL PROTECTED] writes: On Sat, 28 Oct 2006 15:39:15 +0200, Hadron Quark [EMAIL PROTECTED] wrote: This all sounds ridiculously difficult. I find it incredible that I cant reference smtp.gmail.com as normal email clients do. You can, and your HOWTO gets _this_ right: Simply use * and live with the fact that this might disclose your password to the wrong host. It _might_ help to deliver a message from the command line with /dev/null exim -d target.address and to send the debug output to a paste service. Beware that this output might contains your SMTP AUTH password, so you'd need to sanitize the output before posting. I have no idea what you are talking about. Thanks for your help, but it seems this is more trouble than its worth. A pity. So we are not able to improve our documentation or do find out what is going wrong on your system. I have posted the logs twice now. Still no one has commented on what the problem might be there : just tried to dissuade me from using exim for some reason. Could anyone comment on these logs please? Clearly exim IS talking to gmails smtp server so its not an issue of the passwd.client file. , | 2006-10-29 14:03:45 1GeAKH-0002Pu-4L = [EMAIL PROTECTED] U=hadron P=local S=322 | 2006-10-29 14:03:56 1GeAKH-0002Pu-4L plain authenticator failed H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 54sm1924149ugp | 2006-10-29 14:03:56 1GeAKH-0002Pu-4L login authenticator failed H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 54sm1924149ugp | 2006-10-29 14:03:56 1GeAKH-0002Pu-4L ** [EMAIL PROTECTED] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:[EMAIL PROTECTED] SIZE=1355: host gmail-smtp.l.google.com [66.249.93.109]: 530 5.5.1 Authentication Required 54sm1924149ugp | 2006-10-29 14:04:06 1GeAKc-0002Q7-Ma = R=1GeAKH-0002Pu-4L U=Debian-exim P=local S=1277 | 2006-10-29 14:04:06 1GeAKH-0002Pu-4L Completed ` This is AFTER following this wiki: http://wiki.debian.org/GmailAndExim4 Do I have to enable authenticators or something? How would I debug this to provide you experts with the info you need? Again : I wish to use exim4 to deliver via a gmail smarthost. According to the documentation this is supported and should be easy to configure : not overly complicated or underkill for exim. I already have it delivering locally via procmail. But I wish to forward internal system mail (e.g cron reports) to an external address. I can not deliver from my own smtp server because I have dynamic IP which is in a black listed IP block. Hence the common need to use smarthost delivery. Any and all help appreciated. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
Marc Haber [EMAIL PROTECTED] writes: On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED] wrote: - Having Exim perform MUA-style 'client' functions is possible, but not as easy as a few 'box ticks' and filled-in blanks on a userland MUA. It is actually easy in Debian's exim4 packages, which the anonymous original poster is using, and it works for me. Additionally, the outdated and misleading HOWTO he uses miraculously fits his situation, so his exim should work fine. Unfortunately, he is not willing to help in finding the bug, and he is asking in the wrong forum. Not willing to help find the bug?!?! Do you read the posts or just take a guess? But no need for you to worry : I uninstalled exim completely, removed exim4 directory, reinstalled it, added the port, modified the passwd.client, added the procmail_pipe part and it worked. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
Hadron Quark wrote: Marc Haber [EMAIL PROTECTED] writes: On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED] wrote: - Having Exim perform MUA-style 'client' functions is possible, but not as easy as a few 'box ticks' and filled-in blanks on a userland MUA. It is actually easy in Debian's exim4 packages, which the anonymous original poster is using, and it works for me. Additionally, the outdated and misleading HOWTO he uses miraculously fits his situation, so his exim should work fine. Unfortunately, he is not willing to help in finding the bug, and he is asking in the wrong forum. Not willing to help find the bug?!?! Do you read the posts or just take a guess? But no need for you to worry : I uninstalled exim completely, removed exim4 directory, reinstalled it, added the port, modified the passwd.client, added the procmail_pipe part and it worked. Thereby un-doing whatever it was you had done and not [intended | realized]. Good news! Is the bar open yet? -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
On Sun, 29 Oct 2006 17:59:43 +0100, Hadron Quark [EMAIL PROTECTED] wrote: Marc Haber [EMAIL PROTECTED] writes: A pity. So we are not able to improve our documentation or do find out what is going wrong on your system. I have posted the logs twice now. Yes, but no debug information what I have been asking for. , | 2006-10-29 14:03:45 1GeAKH-0002Pu-4L = [EMAIL PROTECTED] U=hadron P=local S=322 | 2006-10-29 14:03:56 1GeAKH-0002Pu-4L plain authenticator failed H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 54sm1924149ugp Looks like the password or the user name is wrong. That's, btw, a different error than you had previously. This is AFTER following this wiki: http://wiki.debian.org/GmailAndExim4 Do I have to enable authenticators or something? No. How would I debug this to provide you experts with the info you need? That is mentioned in the Debian exim4 User FAQ since yesterday. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
On Fri, 27 Oct 2006 13:18:21 +0200, Hadron Quark [EMAIL PROTECTED] wrote: Marc Haber [EMAIL PROTECTED] writes: On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark [EMAIL PROTECTED] wrote: I have configured exim4 to use smarthost for sending mails. I have, succesfully, configured it to use procmail_pipe to intercept local destinations - e.g I can mail from the Linux command line to [EMAIL PROTECTED] and procmail is invoked by exim4 to deliver to my local maildirs. The problem I have is that, using mail as opposed to my smtpmail package in gnus and thus using exim4, the smarthost authentication is failing. It worked twice and then stopped working. Here is the logline I get: 2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** [EMAIL PROTECTED] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:[EMAIL PROTECTED] SIZE=1369: host gmail-smtp.l.google.com [66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf That looks like your exim is not trying to authenticate. http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084 might help here. Not really as it offers no advice on how to setup. I dont know enough about SMTP to debug anything. If you do not know that much about SMTP, then you should probably not run a mail server on the public Internet. I have, however, added a few advices about how to debug to the FAQ entry. It might be more helpful now. | Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like: | | ### CONFDIR/passwd.client | # | # Format: | #targetmailserver.example:login:password | # | # default entry: | ### *:bar:foo | *:USERNAME:PASSWORD That is correct, and the * keeps you from hitting the trap mentioned in http://bugs.debian.org/244724 and http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client | Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this: | | remote_smtp_smarthost: | debug_print = T: remote_smtp_smarthost for [EMAIL PROTECTED] | driver = smtp | hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} | tls_tempfail_tryclear = false | DEBCONFheaders_rewriteDEBCONF | DEBCONFreturn_pathDEBCONF | port = 26 | | That should be it. Now mail sent locally will get relayed via port 26 on your relay host. Please note that your third-party HOWTO gives the bad advice of delivering to port tcp/26. smtp.google.com only listens on Ports tcp/25 and tcp/587. The how to I referenced didnt do anything with google. It was to do with setting up your OWN smarthost for connecting to when on the the road. As I said above, I already changed the port to 587 anyway. Good. I have just checked: smtp.google.com offers STARTTLS and only advertises SMTP AUTH after the connection has been encrypted. Thus, the Debian exim4 should be able to authenticate fine. I have verified both with swaks and exim4 that authentication works. The only trap that I can see is that smtp.google.com is a CNAME, so you'll need to either put an asterisk in your passwd.client line or explicitly name the reverse DNS name of smtp.google.com, which is (today) gmail-smtp.l.google.com. Can you reference the info about this asterisk? Sure. I already did. Information is available in http://bugs.debian.org/244724 and http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client As for the CNAME - my exim4 log reveals it has started a converstion with the smtp server just fine - so where does this CNAME come in? The plain authenticator in Debian's default configuration uses $host as a key into /etc/exim4/passwd.client, and that variable contains the name of the host you are actually connected to, which is most probably taken from the reverse DNS entry of the associated IP address. Thus, an entry smtp.gmail.com would not match for the host you are connected to. Changing this without exim helping here (which would require a change in exim program code) is _exceptionally_ hard in the configuration. May I ask why you chose to ignore all Debian documentation and instead went to honor a third-party HOWTO that clearly shows that its author is not familiar with Debian's exim packages? Because I couldnt google anything up which was easy enough to follow : as a newbie, totally unfamiliar with exim4 the main docs are extremely hard to follow. Running a Mail server on the Internet requires considerable knowledge, and it is a bad idea to do this without even knowing the basics of mail processing. If you know of a small howto which works No. The topic is complex and requires considerable knowledge. It _might_ help to
Re: [exim] TLS Authentication at gmail failing
Marc Haber [EMAIL PROTECTED] writes: On Fri, 27 Oct 2006 13:18:21 +0200, Hadron Quark [EMAIL PROTECTED] wrote: Marc Haber [EMAIL PROTECTED] writes: On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark [EMAIL PROTECTED] wrote: I have configured exim4 to use smarthost for sending mails. I have, succesfully, configured it to use procmail_pipe to intercept local destinations - e.g I can mail from the Linux command line to [EMAIL PROTECTED] and procmail is invoked by exim4 to deliver to my local maildirs. The problem I have is that, using mail as opposed to my smtpmail package in gnus and thus using exim4, the smarthost authentication is failing. It worked twice and then stopped working. Here is the logline I get: 2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** [EMAIL PROTECTED] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:[EMAIL PROTECTED] SIZE=1369: host gmail-smtp.l.google.com [66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf That looks like your exim is not trying to authenticate. http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084 might help here. Not really as it offers no advice on how to setup. I dont know enough about SMTP to debug anything. If you do not know that much about SMTP, then you should probably not run a mail server on the public Internet. I want to be able to send emails via an smtp smart host using the well publicised exim4 stuff. I dont wish to open my machine as a relay or a receiver. I have, however, added a few advices about how to debug to the FAQ entry. It might be more helpful now. | Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like: | | ### CONFDIR/passwd.client | # | # Format: | #targetmailserver.example:login:password | # | # default entry: | ### *:bar:foo | *:USERNAME:PASSWORD That is correct, and the * keeps you from hitting the trap mentioned in http://bugs.debian.org/244724 and http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client | Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this: | | remote_smtp_smarthost: | debug_print = T: remote_smtp_smarthost for [EMAIL PROTECTED] | driver = smtp | hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} | tls_tempfail_tryclear = false | DEBCONFheaders_rewriteDEBCONF | DEBCONFreturn_pathDEBCONF | port = 26 | | That should be it. Now mail sent locally will get relayed via port 26 on your relay host. Please note that your third-party HOWTO gives the bad advice of delivering to port tcp/26. smtp.google.com only listens on Ports tcp/25 and tcp/587. The how to I referenced didnt do anything with google. It was to do with setting up your OWN smarthost for connecting to when on the the road. As I said above, I already changed the port to 587 anyway. Good. I have just checked: smtp.google.com offers STARTTLS and only advertises SMTP AUTH after the connection has been encrypted. Thus, the Debian exim4 should be able to authenticate fine. I have verified both with swaks and exim4 that authentication works. The only trap that I can see is that smtp.google.com is a CNAME, so you'll need to either put an asterisk in your passwd.client line or explicitly name the reverse DNS name of smtp.google.com, which is (today) gmail-smtp.l.google.com. Can you reference the info about this asterisk? Sure. I already did. Information is available in http://bugs.debian.org/244724 and http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client As for the CNAME - my exim4 log reveals it has started a converstion with the smtp server just fine - so where does this CNAME come in? The plain authenticator in Debian's default configuration uses $host as a key into /etc/exim4/passwd.client, and that variable contains the name of the host you are actually connected to, which is most probably taken from the reverse DNS entry of the associated IP address. Thus, an entry smtp.gmail.com would not match for the host you are connected to. Changing this without exim helping here (which would require a change in exim program code) is _exceptionally_ hard in the configuration. This all sounds ridiculously difficult. I find it incredible that I cant reference smtp.gmail.com as normal email clients do. Maybe you're right : maybe exim4 isnt't what I want or need. How to setup my system to send mails locally and to the internet via a smart host from the Linux mail facilities then? I want to be able to send to external targets via cron etc too. May I ask why you chose to ignore all Debian
Re: [exim] TLS Authentication at gmail failing
Hadron Quark wrote: *snip* largely circular discussion by now... I have no idea what you are talking about. Thanks for your help, but it seems this is more trouble than its worth. Even the wiki didnt work. Can we start over, please? What sort of messages, besides the chron'ed reports mentioned, do you wish to get from your Linux box to the outside world? Does your Linux box, for example, support users other than yourself who need to send and receive mail? Mailing lists? A Wiki? Webforms? or what? There are many possibilities, some of them dirt-simple, but we are getting wrapped up in the details of the process before understanding the specifics of the need. Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
On 28/10/2006 14:39, Hadron Quark wrote: Marc Haber [EMAIL PROTECTED] writes: If you do not know that much about SMTP, then you should probably not run a mail server on the public Internet. I want to be able to send emails via an smtp smart host using the well publicised exim4 stuff. I dont wish to open my machine as a relay or a receiver. He has a point, but it should be possible to get the odd email out from a Linux box, and it's less likely you'll end up with an open relay using exim than with any other. [] This all sounds ridiculously difficult. It's not, it's just that (like too many big providers) gmail's servers have many and inconsistent-looking names. I find it incredible that I cant reference smtp.gmail.com as normal email clients do. Well, you can, you just have to use * or perhaps *.gmail.com; smtp.gmail.com is a nickname for several gmail servers. exim isn't an email client, it's an email server, but it is quite capable of being a client on behalf of other programs on your box. Maybe you're right : maybe exim4 isnt't what I want or need. It may sound difficult but exim's almost certainly simpler than any other solution. Cheers, John. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark [EMAIL PROTECTED] wrote: I have configured exim4 to use smarthost for sending mails. I have, succesfully, configured it to use procmail_pipe to intercept local destinations - e.g I can mail from the Linux command line to [EMAIL PROTECTED] and procmail is invoked by exim4 to deliver to my local maildirs. The problem I have is that, using mail as opposed to my smtpmail package in gnus and thus using exim4, the smarthost authentication is failing. It worked twice and then stopped working. Here is the logline I get: 2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** [EMAIL PROTECTED] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:[EMAIL PROTECTED] SIZE=1369: host gmail-smtp.l.google.com [66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf That looks like your exim is not trying to authenticate. http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084 might help here. Here is the HowTo I followed, changing the port selected by the client to 587 for gmail's smtp servers. I have set up my passwd.client file. http://www.lexspoon.org/linux/smtp-relay.html That HOWTO is actually quite bad. A critique of it can be found in http://wiki.debian.org/PkgExim4UserFAQ#head-143dbe79ffa3848284fbd0b0a2bb78dae3d75a18. Possibly something to do with authentication file generated by /usr/share/doc/exim4-base/examples/exim-gencert Not at all. A certificate is not needed if all you want to do is authenticate as a client. - should I have even run that keeping in mind that I'm not running a receiving smtp server - only a client. It does not hurt, but it is not needed. | Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like: | | ### CONFDIR/passwd.client | # | # Format: | #targetmailserver.example:login:password | # | # default entry: | ### *:bar:foo | *:USERNAME:PASSWORD That is correct, and the * keeps you from hitting the trap mentioned in http://bugs.debian.org/244724 and http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client | Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this: | | remote_smtp_smarthost: | debug_print = T: remote_smtp_smarthost for [EMAIL PROTECTED] | driver = smtp | hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} | tls_tempfail_tryclear = false | DEBCONFheaders_rewriteDEBCONF | DEBCONFreturn_pathDEBCONF | port = 26 | | That should be it. Now mail sent locally will get relayed via port 26 on your relay host. Please note that your third-party HOWTO gives the bad advice of delivering to port tcp/26. smtp.google.com only listens on Ports tcp/25 and tcp/587. I have just checked: smtp.google.com offers STARTTLS and only advertises SMTP AUTH after the connection has been encrypted. Thus, the Debian exim4 should be able to authenticate fine. I have verified both with swaks and exim4 that authentication works. The only trap that I can see is that smtp.google.com is a CNAME, so you'll need to either put an asterisk in your passwd.client line or explicitly name the reverse DNS name of smtp.google.com, which is (today) gmail-smtp.l.google.com. May I ask why you chose to ignore all Debian documentation and instead went to honor a third-party HOWTO that clearly shows that its author is not familiar with Debian's exim packages? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] TLS Authentication at gmail failing
(apologies as I replied directly to Mark as opposed to following up) Thanks for the reply. See below. Marc Haber [EMAIL PROTECTED] writes: On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark [EMAIL PROTECTED] wrote: I have configured exim4 to use smarthost for sending mails. I have, succesfully, configured it to use procmail_pipe to intercept local destinations - e.g I can mail from the Linux command line to [EMAIL PROTECTED] and procmail is invoked by exim4 to deliver to my local maildirs. The problem I have is that, using mail as opposed to my smtpmail package in gnus and thus using exim4, the smarthost authentication is failing. It worked twice and then stopped working. Here is the logline I get: 2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** [EMAIL PROTECTED] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:[EMAIL PROTECTED] SIZE=1369: host gmail-smtp.l.google.com [66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf That looks like your exim is not trying to authenticate. http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084 might help here. Not really as it offers no advice on how to setup. I dont know enough about SMTP to debug anything. Here is the HowTo I followed, changing the port selected by the client to 587 for gmail's smtp servers. I have set up my passwd.client file. http://www.lexspoon.org/linux/smtp-relay.html That HOWTO is actually quite bad. A critique of it can be found in http://wiki.debian.org/PkgExim4UserFAQ#head-143dbe79ffa3848284fbd0b0a2bb78dae3d75a18. Possibly something to do with authentication file generated by /usr/share/doc/exim4-base/examples/exim-gencert Not at all. A certificate is not needed if all you want to do is authenticate as a client. That's good to know - thanks. - should I have even run that keeping in mind that I'm not running a receiving smtp server - only a client. It does not hurt, but it is not needed. | Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like: | | ### CONFDIR/passwd.client | # | # Format: | #targetmailserver.example:login:password | # | # default entry: | ### *:bar:foo | *:USERNAME:PASSWORD That is correct, and the * keeps you from hitting the trap mentioned in http://bugs.debian.org/244724 and http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client | Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this: | | remote_smtp_smarthost: | debug_print = T: remote_smtp_smarthost for [EMAIL PROTECTED] | driver = smtp | hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} | tls_tempfail_tryclear = false | DEBCONFheaders_rewriteDEBCONF | DEBCONFreturn_pathDEBCONF | port = 26 | | That should be it. Now mail sent locally will get relayed via port 26 on your relay host. Please note that your third-party HOWTO gives the bad advice of delivering to port tcp/26. smtp.google.com only listens on Ports tcp/25 and tcp/587. The how to I referenced didnt do anything with google. It was to do with setting up your OWN smarthost for connecting to when on the the road. As I said above, I already changed the port to 587 anyway. I have just checked: smtp.google.com offers STARTTLS and only advertises SMTP AUTH after the connection has been encrypted. Thus, the Debian exim4 should be able to authenticate fine. I have verified both with swaks and exim4 that authentication works. The only trap that I can see is that smtp.google.com is a CNAME, so you'll need to either put an asterisk in your passwd.client line or explicitly name the reverse DNS name of smtp.google.com, which is (today) gmail-smtp.l.google.com. Can you reference the info about this asterisk? As for the CNAME - my exim4 log reveals it has started a converstion with the smtp server just fine - so where does this CNAME come in? Clearly I wouldnt want to put in a day specfic smpt server name. stp.gmail.com seems to find their servers fine. What am I misunderstanding here? May I ask why you chose to ignore all Debian documentation and instead went to honor a third-party HOWTO that clearly shows that its author is not familiar with Debian's exim packages? Because I couldnt google anything up which was easy enough to follow : as a newbie, totally unfamiliar with exim4 the main docs are extremely hard to follow. If you know of a small howto which works please let me know or even the link to proper debian documentation which doesnt assume knowledge of SMTP protocol and telnet. I had a look at the wiki FAQ,