subject:"Re\: \[exim\] TLS authentication"

Re: [exim] TLS authentication

2023-02-17 Thread Jeremy Harris via Exim-users


On 17/02/2023 04:18, Ian Zimmerman via Exim-users wrote:

   what is a "variable of type certificate" in exim's proudly unityped
   macro language?


$tls_{in,out}_(our,peer)cert are all certificate-type variables.
They are not useable as text, but can be used by a "certextract"
expansion.

The documentation Concept Index has an entry for "certificate", "variables".
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Viktor Dukhovni via Exim-users

On Thu, Feb 16, 2023 at 08:18:46PM -0800, Ian Zimmerman via Exim-users wrote:

> An excellent suggestion, thanks. I think I got stuck in this unproductive
> (it seems) rut of authentication by verification because of two things:
> 
> - not immediately obvious how to *compute* the checksum to match in
>   the first place.  I don't expect it's just the checksum over the pem
>   file, is it?

No, PEM is not suitably canonical, for that you'd want the ASN.1 DER
form of the public key (or full certificate, whichever you prefer).

> - the documentation for the md5 (and sha1) expansion operators is cryptic:
> 
> If the string is a single variable of type certificate, returns the
> MD5 hash fingerprint of the certificate.

MD5 is deprecated, ideally Exim also support sha256 in the same role.
The hash should be computed over the DER form.

> what is a "variable of type certificate" in exim's proudly unityped
> macro language?

I am a Postfix maintainer, mostly lurking on this list, except when it
comes to TLS-related or especially DANE-related issues.  So can't answer
anything about Exim variables.  On the command-line, to extract the public
key and/or certificate digests:

# key digest
$ openssl x509 -in cert.pem -pubkey -noout |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
xxd -p -c32

# cert digest
$ openssl x509 -in cert.pem -outform DER |
openssl dgst -sha256 -binary |
xxd -p -c32

-- 
VIktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Ian Zimmerman via Exim-users

On Thu, Feb 16, 2023 at 09:29:20AM -0500, Viktor Dukhovni via Exim-users wrote:
> On the other hand, much better to simply maintain an explicit table of
> trusted client public keys and match these (by SHA256 fingerprint
> perhaps).  Use a lookup table to check whether the client is authorised
> or not.

An excellent suggestion, thanks. I think I got stuck in this unproductive
(it seems) rut of authentication by verification because of two things:

- not immediately obvious how to *compute* the checksum to match in
  the first place.  I don't expect it's just the checksum over the pem
  file, is it?

- the documentation for the md5 (and sha1) expansion operators is cryptic:

If the string is a single variable of type certificate, returns the
MD5 hash fingerprint of the certificate.

  what is a "variable of type certificate" in exim's proudly unityped
  macro language?

-- 
Ian

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Viktor Dukhovni via Exim-users

On Thu, Feb 16, 2023 at 09:17:51PM +, Jeremy Harris via Exim-users wrote:

> On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:
> > Some applications (want to) only accept client certificates issued by a
> > dedicated non-public CA, which amounts to an authorisation server
> 
> In exim usage that's a test on a certextract of the issuer of
> $tls_in_peercert, either just in ACL or as part of the
> serer_condition for an authenticator using the tls driver.
> 
> For either, the TLS session has to have been accepted first.

The problem is that any root CA can issue a subCA with any subject DN it
wants.  So just checking issuer names, and expecting these to uniquely
identify a private dedicated CA is not "safe".

There is no global X.500 namespace that ensures uniqueness of CA
"distinguished names", they're just made up.

So, if I can't bypass the system trust store, I would be more inclined
to check the issuer public key, not the issuer DN.  That said, an
OpenSSL application can just set the environemt and get a non-default
trust store location:

https://www.openssl.org/docs/manmaster/man3/X509_get_default_cert_dir_env.html

const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);

Just set those enviroment variables (just between us friends, those
are "SSL_CERT_DIR" and "SSL_CERT_FILE") to a directory and file that
hold only the application-specific trust anchors, and the system
trust store would no longer be loaded by default.  This works
for OpenSSL, can't speak to GnuTLS...

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Jeremy Harris via Exim-users


On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:

Some applications (want to) only accept client certificates issued by a
dedicated non-public CA, which amounts to an authorisation server


In exim usage that's a test on a certextract of the issuer of
$tls_in_peercert, either just in ACL or as part of the
serer_condition for an authenticator using the tls driver.

For either, the TLS session has to have been accepted first.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Viktor Dukhovni via Exim-users

On Thu, Feb 16, 2023 at 09:44:55PM +0100, Heiko Schlittermann via Exim-users 
wrote:

> > Is it at all possible with OpenSSL to stop the "system" location from
> > being checked? If not, that seems to make the use of TLS for client
> > authentication impossible because any certificate presented by
> > e.g. Google will pass verification. Am I reading this correctly?
> 
> IMHO it shouldn't be sufficient accept any client that just has a
> verified certificate ("authenticated"). You should check, if the client
> is "authorized", by checking required certificate attributes (issuer,
> subject, …)
> 

Some applications (want to) only accept client certificates issued by a
dedicated non-public CA, which amounts to an authorisation server.  If
the CA gave you a cert, you're an authorised user of the application
until the cert expires (or is revoked, if the server application has
access to timely CRLs, ...)

They drank the PKI coolaid.  I don't recommend this design.  Often
simpler to just use a list of authorised public keys instead.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Heiko Schlittermann via Exim-users

Ian Zimmerman via Exim-users  (Di 14 Feb 2023 01:40:52 
CET):
>   With OpenSSL the certificates specified explicitly either by file or
>   directory are added to those given by the system default location.
> 
> Is it at all possible with OpenSSL to stop the "system" location from
> being checked? If not, that seems to make the use of TLS for client
> authentication impossible because any certificate presented by
> e.g. Google will pass verification. Am I reading this correctly?

IMHO it shouldn't be sufficient accept any client that just has a
verified certificate ("authenticated"). You should check, if the client
is "authorized", by checking required certificate attributes (issuer,
subject, …)

Maybe I got you wrong.
-- 
Heiko


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Viktor Dukhovni via Exim-users

On Mon, Feb 13, 2023 at 04:40:52PM -0800, Ian Zimmerman via Exim-users wrote:

>   With OpenSSL the certificates specified explicitly either by file or
>   directory are added to those given by the system default location.
> 
> Is it at all possible with OpenSSL to stop the "system" location from
> being checked? If not, that seems to make the use of TLS for client
> authentication impossible because any certificate presented by
> e.g. Google will pass verification. Am I reading this correctly?

In principle, yes, it just requires not loading the default certificate
store by not calling SSL_CTX_set_default_verify_paths(3).

So if you want to permit only clients with trusted certificates signed
by just your own CA, indeed you need to avoid loading the default cert
store.

On the other hand, much better to simply maintain an explicit table of
trusted client public keys and match these (by SHA256 fingerprint
perhaps).  Use a lookup table to check whether the client is authorised
or not.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

2023-02-16 Thread Jeremy Harris via Exim-users


On 14/02/2023 00:40, Ian Zimmerman via Exim-users wrote:

Is it at all possible with OpenSSL to stop the "system" location from
being checked?


No.


If not, that seems to make the use of TLS for client
authentication impossible because any certificate presented by
e.g. Google will pass verification. Am I reading this correctly?


Please define your authentication requirements:  exactly what
do you want checked?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS Authentication Strength

2007-11-27 Thread Phil Pennock

On 2007-11-26 at 15:27 +, andylockran wrote:
 I'm setting up a cluster of servers for the PCI DSS and I've only got one 
 vulnerability left - which is that SSL/TLS supports weak authentication in 
 exim.  (I managed to set SSLv2 to disabled on exim with the following line:)
 
 tls_require_ciphers = HIGH:!MEDIUM:!LOW:SSLv3:!SSLv2:!DES
 
 Unfortunately, this does not set the authentication method to only suport 
 HIGH Levels of encryption (128bit or above).
 
 I can't find any information about where this should be set.. and i know this 
 line works as it manages to disable SSLv2.  I've checked section 38 of the 
 manual (and 38.4 specifically as I'm using openssl). 
 
 One of the solutions may be to specify the particular encryption methods on 
 this line - but does anyone know a way of implementing the HIGH:MEDIUM:LOW 
 setting in a similar way to the following (from proftpd).
 
 TLSCipherSuite  HIGH:MEDIUM:!ADH:!SSLv2

It's left-to-right, IIRC, and so adding SSLv3 later overrode the
!MEDIUM.

I use (but I'm not a cryptographer):
tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!NULL:!DES:@STRENGTH

Turn them all on, disable LOW, the EXPORT restricted ones, Anonymous DH,
the NULL, the plain DES and then sort the remainer in strength order, so
that the strongest one is preferred.

Provided that your OS installs the OpenSSL man-pages, ciphers(1) should
list the options available.  Otherwise the current doc (as opposed to
docs for your installed version) is at:
  http://www.openssl.org/docs/apps/ciphers.html

Oh, cool, NULL is not included in ALL so my !NULL is sheer paranoia.
I'll leave it there.  :^)

-Phil

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Marc Haber

On Sat, 28 Oct 2006 15:39:15 +0200, Hadron Quark
[EMAIL PROTECTED] wrote:
This all sounds ridiculously difficult. I find it incredible that I cant
reference smtp.gmail.com as normal email clients do.

You can, and your HOWTO gets _this_ right: Simply use * and live
with the fact that this might disclose your password to the wrong
host.

 It _might_ help to deliver a message from the command line with
  /dev/null exim -d target.address and to send the debug output to a
 paste service. Beware that this output might contains your SMTP AUTH
 password, so you'd need to sanitize the output before posting.

I have no idea what you are talking about. Thanks for your help,
but it seems this is more trouble than its worth.

A pity. So we are not able to improve our documentation or do find out
what is going wrong on your system.

Greetings
Marc

-- 
-- !! No courtesy copies, please !! -
Marc Haber |Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom  | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Marc Haber

On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED]
wrote:
- Having Exim perform MUA-style 'client' functions is possible, but not as easy
as a few 'box ticks' and filled-in blanks on a userland MUA.

It is actually easy in Debian's exim4 packages, which the anonymous
original poster is using, and it works for me. Additionally, the
outdated and misleading HOWTO he uses miraculously fits his situation,
so his exim should work fine. Unfortunately, he is not willing to help
in finding the bug, and he is asking in the wrong forum.

Greetings
Marc

-- 
-- !! No courtesy copies, please !! -
Marc Haber |Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom  | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread W B Hacker

Marc Haber wrote:
 On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED]
 wrote:
 - Having Exim perform MUA-style 'client' functions is possible, but not as 
 easy
 as a few 'box ticks' and filled-in blanks on a userland MUA.
 
 It is actually easy in Debian's exim4 packages, which the anonymous
 original poster is using, and it works for me.

Despite being a user of 'other than..' I have read your docs, and I have to 
agree.

- if that is what you are using, that is where you look, and what you need
 IS THERE.

 Additionally, the
 outdated and misleading HOWTO he uses miraculously fits his situation,
 so his exim should work fine. Unfortunately, he is not willing to help
 in finding the bug, and he is asking in the wrong forum.
 
 Greetings
 Marc
 

I have no idea if just-released Ubunti 'Edgy' has, or has not used your work
unaltered, but it DOES look as if he HAS changed the defaults.

==
 I have modified none of them from the default Ubuntu Edgy install
==

I wonder if we have been trolled

;-)

Bill Hacker


-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Hadron Quark

W B Hacker [EMAIL PROTECTED] writes:

 Hadron Quark wrote:

 *snip* largely circular discussion by now...
 
 I have no idea what you are talking about. Thanks for your help,
 but it seems this is more trouble than its worth. Even the wiki didnt
 work.

 Can we start over, please?

Yes. Any help much appreciated.


 What sort of messages, besides the chron'ed reports mentioned, do you wish to 
 get from your Linux box to the outside world?

What cron reports? Are you referring to the exim log? See below.


 Does your Linux box, for example, support users other than yourself who need 
 to 
 send and receive mail?  Mailing lists? A Wiki? Webforms? or what?

 There are many possibilities, some of them dirt-simple, but we are getting 
 wrapped up in the details of the process before understanding the specifics 
 of 
 the need.

I must admit to being a little confused by the previous reply which
seemed to be getting into coding details about stuff I had never heard
of. I will start again:

I want exim4 configured to deliver email using a smarthost. A Gmail
smarthost. This is one of the 3 or 4 main modes of exim it would
appear so why this should be extremely complicated as suggested
earlier is a surprise to me.

I have:

added the procmail_pipe to my config for local mail delivery : works fine.
modified my passwd.client
added port=587 to my config
set the smarthost to be smtp.gmail.com in my config
updated the config
restarted the exim server

if I 

bash: echo test | mail [EMAIL PROTECTED]

I get this in my exim mainlog:

2006-10-28 19:52:40 1GdsMK-0004L8-6E = [EMAIL PROTECTED] U=hadron P=local S=333
2006-10-28 19:52:51 1GdsMK-0004L8-6E plain authenticator failed 
H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 
y7sm962917ugc
2006-10-28 19:52:51 1GdsMK-0004L8-6E login authenticator failed 
H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 
y7sm962917ugc
2006-10-28 19:52:51 1GdsMK-0004L8-6E ** [EMAIL PROTECTED] R=smarthost 
T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL 
FROM:[EMAIL PROTECTED] SIZE=1367: host gmail-smtp.l.google.com 
[66.249.93.109]: 530 5.5.1 Authentication Required y7sm962917ugc
2006-10-28 19:53:01 1GdsMf-0004LJ-Me =  R=1GdsMK-0004L8-6E U=Debian-exim 
P=local S=1285
2006-10-28 19:53:01 1GdsMK-0004L8-6E Completed


I dont understand authenticators, I have modified none of them from the
default Ubuntu Edgy install. I dont understand the errors above.

Any pointer much appreciated.


 Bill

-- 

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Hadron Quark

W B Hacker [EMAIL PROTECTED] writes:

 Hadron Quark wrote:
 W B Hacker [EMAIL PROTECTED] writes:
 
 Hadron Quark wrote:

 *snip*

 of. I will start again:
 
 I want exim4 configured to deliver email using a smarthost. A Gmail
 smarthost.

 You have (once again) skipped all the important stuff. i.e *what sort of mail*
 and *from whom* really matters here BECAUSE:

I posted a line to generate a standard text mail to a
gmail account via a smarthost. How can it be more clear?


 - Everything you have so far posted gives me a 'strong suspicion' that you are
 trying to use Exim, a 'Message Transfer Agent', or MTA, when all you really 
 need
 is  a 'Message User Agent', or MUA.

This is getting ridiculous. Where do you get me using it as an MUA come
from. I have said I want it to operate delivering via a smarthost.

I am using it as an MTA. Normally I use (as stated before) smtpmail.el
in gnus as my MUA.

However, I use exim4 to involve procmail for LOCAL mail (e.g
cron jobs sending an email) delivery and I want it to also talk to GMAIL SMTP
server in smarthost mode since I have a dynamic IP and I cant deliver
external mails from a local smtp server (blacklisted IP blocks from my
ISP).

I really don't see how this can be clearer.


 - Having Exim perform MUA-style 'client' functions is possible, but not as 
 easy
 as a few 'box ticks' and filled-in blanks on a userland MUA.

I'm sorry. I dont understand. Did you read the howto link I posted?
Again - I followed the following wiki (and read the docs), and the
errors I get I posted in the previous post. Can you decipher them and
tell me what is wrong?

Clearly exim DOES talk to smtp.gmail.com but for some reason
authentication is not being done or recognised. The error messages make
that clear.

http://wiki.debian.org/GmailAndExim4


 This is one of the 3 or 4 main modes of exim it would
 appear so why this should be extremely complicated as suggested
 earlier is a surprise to me.


 It is complicated only because;

 You also have to configure for a great many things that it appears you do not
 need and may not use. Ever.

Lets not worry about them. There are sensible defaults. All I want is
smarthost via gmail and local delivery via procmail - the later is
done. The former is not working : the error messages are posted in the
previous posts. Authentication is NOT being performed properly.

 It is a bit like deciding to build a private freight train to carry a loaf of
 bread home when a simple train *ticket* might be less hassle.

No. I just want exim4 to deliver via a smart host.


 As you haven't studied smtp in general or Exim in particular, you really 
 should
 expect to do a great deal of reading.

I did. Did you read the wiki I posted a link to?


 Not trying to put you off - it is worthwhile learning.  But it doesn't come
 without time invested.

Did you read the error messages? Do they mean anything to you?

Even I can tell people to read the manuals.

Can you help?

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Hadron Quark

Marc Haber [EMAIL PROTECTED] writes:

 On Sat, 28 Oct 2006 15:39:15 +0200, Hadron Quark
 [EMAIL PROTECTED] wrote:
This all sounds ridiculously difficult. I find it incredible that I cant
reference smtp.gmail.com as normal email clients do.

 You can, and your HOWTO gets _this_ right: Simply use * and live
 with the fact that this might disclose your password to the wrong
 host.

 It _might_ help to deliver a message from the command line with
  /dev/null exim -d target.address and to send the debug output to a
 paste service. Beware that this output might contains your SMTP AUTH
 password, so you'd need to sanitize the output before posting.

I have no idea what you are talking about. Thanks for your help,
but it seems this is more trouble than its worth.

 A pity. So we are not able to improve our documentation or do find out
 what is going wrong on your system.

I have posted the logs twice now.

Still no one has commented on what the problem might be there : just
tried to dissuade me from using exim for some reason.

Could anyone comment on these logs please? Clearly exim IS talking to
gmails smtp server so its not an issue of the passwd.client file.

,
| 2006-10-29 14:03:45 1GeAKH-0002Pu-4L = [EMAIL PROTECTED] U=hadron P=local 
S=322
| 2006-10-29 14:03:56 1GeAKH-0002Pu-4L plain authenticator failed 
H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 
54sm1924149ugp
| 2006-10-29 14:03:56 1GeAKH-0002Pu-4L login authenticator failed 
H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 
54sm1924149ugp
| 2006-10-29 14:03:56 1GeAKH-0002Pu-4L ** [EMAIL PROTECTED] R=smarthost 
T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL 
FROM:[EMAIL PROTECTED] SIZE=1355: host gmail-smtp.l.google.com 
[66.249.93.109]: 530 5.5.1 Authentication Required 54sm1924149ugp
| 2006-10-29 14:04:06 1GeAKc-0002Q7-Ma =  R=1GeAKH-0002Pu-4L U=Debian-exim 
P=local S=1277
| 2006-10-29 14:04:06 1GeAKH-0002Pu-4L Completed
`

This is AFTER following this wiki:

http://wiki.debian.org/GmailAndExim4

Do I have to enable authenticators or something? How would I debug this
to provide you experts with the info you need?

Again : I wish to use exim4 to deliver via a gmail smarthost. According
to the documentation this is supported and should be easy to configure :
not overly complicated or underkill for exim. I already have it
delivering locally via procmail. But I wish to forward internal system
mail (e.g cron reports) to an external address. I can not deliver from
my own smtp server because I have dynamic IP which is in a black listed
IP block. Hence the common need to use smarthost delivery.

Any and all help appreciated.


 Greetings
 Marc

 -- 
 -- !! No courtesy copies, please !! -
 Marc Haber |Questions are the | Mailadresse im Header
 Mannheim, Germany  | Beginning of Wisdom  | http://www.zugschlus.de/
 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834

-- 

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Hadron Quark

Marc Haber [EMAIL PROTECTED] writes:

 On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED]
 wrote:
- Having Exim perform MUA-style 'client' functions is possible, but not as 
easy
as a few 'box ticks' and filled-in blanks on a userland MUA.

 It is actually easy in Debian's exim4 packages, which the anonymous
 original poster is using, and it works for me. Additionally, the
 outdated and misleading HOWTO he uses miraculously fits his situation,
 so his exim should work fine. Unfortunately, he is not willing to help
 in finding the bug, and he is asking in the wrong forum.

Not willing to help find the bug?!?! Do you read the posts or just take a guess?

But no need for you to worry : I uninstalled exim completely, removed
 exim4 directory, reinstalled it, added the port, modified the
 passwd.client, added the procmail_pipe part and it worked.



-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread W B Hacker

Hadron Quark wrote:
 Marc Haber [EMAIL PROTECTED] writes:
 
 On Sun, 29 Oct 2006 20:38:04 +0800, W B Hacker [EMAIL PROTECTED]
 wrote:
 - Having Exim perform MUA-style 'client' functions is possible, but not as 
 easy
 as a few 'box ticks' and filled-in blanks on a userland MUA.
 It is actually easy in Debian's exim4 packages, which the anonymous
 original poster is using, and it works for me. Additionally, the
 outdated and misleading HOWTO he uses miraculously fits his situation,
 so his exim should work fine. Unfortunately, he is not willing to help
 in finding the bug, and he is asking in the wrong forum.
 
 Not willing to help find the bug?!?! Do you read the posts or just take a 
 guess?
 
 But no need for you to worry : I uninstalled exim completely, removed
  exim4 directory, reinstalled it, added the port, modified the
  passwd.client, added the procmail_pipe part and it worked.
 
 
 

Thereby un-doing whatever it was you had done and not [intended | realized].

Good news!

Is the bar open yet?






-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-29 Thread Marc Haber

On Sun, 29 Oct 2006 17:59:43 +0100, Hadron Quark
[EMAIL PROTECTED] wrote:
Marc Haber [EMAIL PROTECTED] writes:
 A pity. So we are not able to improve our documentation or do find out
 what is going wrong on your system.

I have posted the logs twice now.

Yes, but no debug information what I have been asking for.

,
| 2006-10-29 14:03:45 1GeAKH-0002Pu-4L = [EMAIL PROTECTED] U=hadron P=local 
S=322
| 2006-10-29 14:03:56 1GeAKH-0002Pu-4L plain authenticator failed 
H=gmail-smtp.l.google.com [66.249.93.109] 535 5.7.1 Credentials Rejected 
54sm1924149ugp

Looks like the password or the user name is wrong. That's, btw, a
different error than you had previously.

This is AFTER following this wiki:

http://wiki.debian.org/GmailAndExim4

Do I have to enable authenticators or something? 

No.

How would I debug this
to provide you experts with the info you need?

That is mentioned in the Debian exim4 User FAQ since yesterday.

Greetings
Marc

-- 
-- !! No courtesy copies, please !! -
Marc Haber |Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom  | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-28 Thread Marc Haber

On Fri, 27 Oct 2006 13:18:21 +0200, Hadron Quark
[EMAIL PROTECTED] wrote:
Marc Haber [EMAIL PROTECTED] writes:
On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark
[EMAIL PROTECTED] wrote:
I have configured exim4 to use smarthost for sending mails. I have,
succesfully, configured it to use procmail_pipe to intercept local
destinations - e.g I can mail from the Linux command line to
[EMAIL PROTECTED] and procmail is invoked by exim4 to deliver to my local
maildirs.

The problem I have is that, using mail as opposed to my smtpmail
package in gnus and thus using exim4, the smarthost authentication is
failing. It worked twice and then stopped working.

Here is the logline I get:

2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** [EMAIL PROTECTED]
R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server
after MAIL FROM:[EMAIL PROTECTED] SIZE=1369: host gmail-smtp.l.google.com
[66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf

That looks like your exim is not trying to authenticate.
http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084
might help here.

Not really as it offers no advice on how to setup. I dont know enough
about SMTP to debug anything.

If you do not know that much about SMTP, then you should probably not
run a mail server on the public Internet.

I have, however, added a few advices about how to debug to the FAQ
entry. It might be more helpful now.

That is correct, and the * keeps you from hitting the trap mentioned
in http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

| Finally, hack your exim4.conf.template to use port 26 instead of 25. Find
the section for remote_smtp_smarthost and add port = 26 to it. In my file it
looks like this:
|
| remote_smtp_smarthost:
| debug_print = T: remote_smtp_smarthost for [EMAIL PROTECTED]
| driver = smtp
| hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
| tls_tempfail_tryclear = false
| DEBCONFheaders_rewriteDEBCONF
| DEBCONFreturn_pathDEBCONF
| port = 26
|
| That should be it. Now mail sent locally will get relayed via port 26 on
your relay host.

Please note that your third-party HOWTO gives the bad advice of
delivering to port tcp/26. smtp.google.com only listens on Ports
tcp/25 and tcp/587.

The how to I referenced didnt do anything with google. It was to do with
setting up your OWN smarthost for connecting to when on the the road. As
I said above, I already changed the port to 587 anyway.

Good.

I have just checked: smtp.google.com offers STARTTLS and only
advertises SMTP AUTH after the connection has been encrypted. Thus,
the Debian exim4 should be able to authenticate fine. I have verified
both with swaks and exim4 that authentication works.

The only trap that I can see is that smtp.google.com is a CNAME, so
you'll need to either put an asterisk in your passwd.client line or
explicitly name the reverse DNS name of smtp.google.com, which is
(today) gmail-smtp.l.google.com.

Can you reference the info about this asterisk?

Sure. I already did. Information is available in
http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

As for the CNAME - my
exim4 log reveals it has started a converstion with the smtp server just
fine - so where does this CNAME come in?

The plain authenticator in Debian's default configuration uses $host
as a key into /etc/exim4/passwd.client, and that variable contains the
name of the host you are actually connected to, which is most probably
taken from the reverse DNS entry of the associated IP address. Thus,
an entry smtp.gmail.com would not match for the host you are
connected to.

Changing this without exim helping here (which would require a change
in exim program code) is _exceptionally_ hard in the configuration.

May I ask why you chose to ignore all Debian documentation and instead
went to honor a third-party HOWTO that clearly shows that its author
is not familiar with Debian's exim packages?

Because I couldnt google anything up which was easy enough to follow :
as a newbie, totally unfamiliar with exim4 the main docs are extremely
hard to follow.

Running a Mail server on the Internet requires considerable knowledge,
and it is a bad idea to do this without even knowing the basics of
mail processing.

If you know of a small howto which works

No. The topic is complex and requires considerable knowledge.

It _might_ help to

Re: [exim] TLS Authentication at gmail failing

2006-10-28 Thread Hadron Quark

Marc Haber [EMAIL PROTECTED] writes:

The problem I have is that, using mail as opposed to my smtpmail
package in gnus and thus using exim4, the smarthost authentication is
failing. It worked twice and then stopped working.

Here is the logline I get:

That looks like your exim is not trying to authenticate.
http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084
might help here.

Not really as it offers no advice on how to setup. I dont know enough
about SMTP to debug anything.

If you do not know that much about SMTP, then you should probably not
run a mail server on the public Internet.

I want to be able to send emails via an smtp smart host using the well
publicised exim4 stuff. I dont wish to open my machine as a relay or a receiver.

I have, however, added a few advices about how to debug to the FAQ
entry. It might be more helpful now.

That is correct, and the * keeps you from hitting the trap mentioned
in http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

| Finally, hack your exim4.conf.template to use port 26 instead of 25. Find
the section for remote_smtp_smarthost and add port = 26 to it. In my file
it looks like this:
|
| remote_smtp_smarthost:
| debug_print = T: remote_smtp_smarthost for [EMAIL PROTECTED]
| driver = smtp
| hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
| tls_tempfail_tryclear = false
| DEBCONFheaders_rewriteDEBCONF
| DEBCONFreturn_pathDEBCONF
| port = 26
|
| That should be it. Now mail sent locally will get relayed via port 26 on
your relay host.

Please note that your third-party HOWTO gives the bad advice of
delivering to port tcp/26. smtp.google.com only listens on Ports
tcp/25 and tcp/587.

Good.

Can you reference the info about this asterisk?

Sure. I already did. Information is available in
http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

As for the CNAME - my
exim4 log reveals it has started a converstion with the smtp server just
fine - so where does this CNAME come in?

Changing this without exim helping here (which would require a change
in exim program code) is _exceptionally_ hard in the configuration.

This all sounds ridiculously difficult. I find it incredible that I cant
reference smtp.gmail.com as normal email clients do. Maybe you're
right : maybe exim4 isnt't what I want or need. How to setup my system
to send mails locally and to the internet via a smart host from the Linux
mail facilities then? I want to be able to send to external targets via
cron etc too.

May I ask why you chose to ignore all Debian

Re: [exim] TLS Authentication at gmail failing

2006-10-28 Thread W B Hacker

Hadron Quark wrote:

*snip* largely circular discussion by now...
 
 I have no idea what you are talking about. Thanks for your help,
 but it seems this is more trouble than its worth. Even the wiki didnt
 work.

Can we start over, please?

What sort of messages, besides the chron'ed reports mentioned, do you wish to 
get from your Linux box to the outside world?

Does your Linux box, for example, support users other than yourself who need to 
send and receive mail?  Mailing lists? A Wiki? Webforms? or what?

There are many possibilities, some of them dirt-simple, but we are getting 
wrapped up in the details of the process before understanding the specifics of 
the need.

Bill





-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-28 Thread John Robinson

On 28/10/2006 14:39, Hadron Quark wrote:
 Marc Haber [EMAIL PROTECTED] writes:
 If you do not know that much about SMTP, then you should probably not
 run a mail server on the public Internet.
 I want to be able to send emails via an smtp smart host using the well
 publicised exim4 stuff. I dont wish to open my machine as a relay or a 
 receiver.

He has a point, but it should be possible to get the odd email out from 
a Linux box, and it's less likely you'll end up with an open relay using 
exim than with any other.

[]
 This all sounds ridiculously difficult.

It's not, it's just that (like too many big providers) gmail's servers 
have many and inconsistent-looking names.

 I find it incredible that I cant
 reference smtp.gmail.com as normal email clients do.

Well, you can, you just have to use * or perhaps *.gmail.com; 
smtp.gmail.com is a nickname for several gmail servers. exim isn't an 
email client, it's an email server, but it is quite capable of being a 
client on behalf of other programs on your box.

 Maybe you're right : maybe exim4 isnt't what I want or need.

It may sound difficult but exim's almost certainly simpler than any 
other solution.

Cheers,

John.

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-27 Thread Marc Haber

On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark
[EMAIL PROTECTED] wrote:
I have configured exim4 to use smarthost for sending mails. I have,
succesfully, configured it to use procmail_pipe to intercept local
destinations - e.g I can mail from the Linux command line to
[EMAIL PROTECTED] and procmail is invoked by exim4 to deliver to my local
maildirs.

The problem I have is that, using mail as opposed to my smtpmail
package in gnus and thus using exim4, the smarthost authentication is
failing. It worked twice and then stopped working.

Here is the logline I get:

That looks like your exim is not trying to authenticate.
http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084
might help here.

Here is the HowTo I followed, changing the port selected by the client
to 587 for gmail's smtp servers. I have set up my passwd.client file.

http://www.lexspoon.org/linux/smtp-relay.html

That HOWTO is actually quite bad. A critique of it can be found in
http://wiki.debian.org/PkgExim4UserFAQ#head-143dbe79ffa3848284fbd0b0a2bb78dae3d75a18.

Possibly something to do with authentication file generated by
/usr/share/doc/exim4-base/examples/exim-gencert

Not at all. A certificate is not needed if all you want to do is
authenticate as a client.

- should I have even
run that keeping in mind that I'm not running a receiving smtp server -
only a client.

It does not hurt, but it is not needed.

That is correct, and the * keeps you from hitting the trap mentioned
in http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

Please note that your third-party HOWTO gives the bad advice of
delivering to port tcp/26. smtp.google.com only listens on Ports
tcp/25 and tcp/587.

May I ask why you chose to ignore all Debian documentation and instead
went to honor a third-party HOWTO that clearly shows that its author
is not familiar with Debian's exim packages?

Greetings
Marc

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] TLS Authentication at gmail failing

2006-10-27 Thread Hadron Quark

(apologies as I replied directly to Mark as opposed to following up)

Thanks for the reply. See below.

Marc Haber [EMAIL PROTECTED] writes:

The problem I have is that, using mail as opposed to my smtpmail
package in gnus and thus using exim4, the smarthost authentication is
failing. It worked twice and then stopped working.

Here is the logline I get:

That looks like your exim is not trying to authenticate.
http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084
might help here.

Not really as it offers no advice on how to setup. I dont know enough
about SMTP to debug anything.

Here is the HowTo I followed, changing the port selected by the client
to 587 for gmail's smtp servers. I have set up my passwd.client file.

http://www.lexspoon.org/linux/smtp-relay.html

That HOWTO is actually quite bad. A critique of it can be found in
http://wiki.debian.org/PkgExim4UserFAQ#head-143dbe79ffa3848284fbd0b0a2bb78dae3d75a18.

Possibly something to do with authentication file generated by
/usr/share/doc/exim4-base/examples/exim-gencert

Not at all. A certificate is not needed if all you want to do is
authenticate as a client.

That's good to know - thanks.

- should I have even
run that keeping in mind that I'm not running a receiving smtp server -
only a client.

It does not hurt, but it is not needed.

That is correct, and the * keeps you from hitting the trap mentioned
in http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

Please note that your third-party HOWTO gives the bad advice of
delivering to port tcp/26. smtp.google.com only listens on Ports
tcp/25 and tcp/587.

Can you reference the info about this asterisk? As for the CNAME - my
exim4 log reveals it has started a converstion with the smtp server just
fine - so where does this CNAME come in? Clearly I wouldnt want to put
in a day specfic smpt server name. stp.gmail.com seems to find their
servers fine. What am I misunderstanding here?

May I ask why you chose to ignore all Debian documentation and instead
went to honor a third-party HOWTO that clearly shows that its author
is not familiar with Debian's exim packages?

Because I couldnt google anything up which was easy enough to follow :
as a newbie, totally unfamiliar with exim4 the main docs are extremely
hard to follow. If you know of a small howto which works please let me
know or even the link to proper debian documentation which doesnt assume
knowledge of SMTP protocol and telnet. I had a look at the wiki FAQ,

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS authentication

Re: [exim] TLS Authentication Strength

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

Re: [exim] TLS Authentication at gmail failing

25 matches

Site Navigation

Mail list logo

Footer information