[exim] Problems getting TLS working

Tue, 20 Sep 2005 15:04:34 -0700 

Hi all,
I'm trying to get TLS working, and I want to authenticate against my courier authdaemon. I want my mail server to require auth before it will relay mail. I'm using Exim 4 on Gentoo. 


I've tried the instructions at http://www.exim.org/mail-archives/exim- 
users/Week-of-Mon-20050307/msg00180.html but I'm still having problems.



For starters, I'm not sure it's authenticating when my machine  
connects. I'm using Mail.app on Apple, and when I try and send a  
mail, I see the following message in my exim log file:
2005-09-20 23:00:49 TLS error on connection from ([192.168.10.5])  
[192.168.10.5] (SSL_CTX_load_verify_locations): error:00000000:lib 
(0):func(0):reason(0)


I have the following sections in my exim configuration file:

Global Settings
tls_certificate = /etc/exim/exim.crt
tls_privatekey = /etc/exim/exim.key
tls_advertise_hosts = *
tls_verify_hosts = *
tls_verify_certificates = /etc/exim/cacerts.pem

I created the pem file by doing

openssl req -new -days 3650 -nodes -config smtp.cnf -out smtp.pem  - 
keyout smtp.pem and
and then moving smtp.pem to /etc/exim. The CN in the configuration  
file is the host name that my mail clients use to connect to the server.


TRANSPORTS
remote_smtp:
  driver = smtp
  interface = xx.xx.xx.xx
  hosts_require_tls = *
  tls_certificate = /etc/exim/exim.crt
  tls_privatekey = /etc/exim/exim.key

AUTHENTICATORS
plain:
  driver = plaintext
  public_name = PLAIN
  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}

  server_condition = ${if eq {${readsocket{/var/lib/courier/ 
authdaemon/socket} \
                   {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin 
\n$1\n$2\n}}}{FAIL\n} {no}{yes}}

  server_set_id = $2

Can anyone advise me what I've missed or what I'm doing wrong ?


Any help would be gratefully appreciated! I'm heading out of the  
country for a while, and I want to be able to relay mail through my  
main server. I also want to setup SPF when I get back, and I believe  
that this is an essential first step.


Thanks in advance,

--
Wayne Pascoe    (gpg --keyserver www.co.uk.pgp.net --recv-keys 79A7C870)
The time for action is passed. Now is the
time for senseless bickering.





Attachment:
PGP.sig

Description: This is a digitally signed message part


-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/





















					Reply via email to