Rob Brenart wrote:
There is a simpler way to annotate it, but this should cover it all:
=============================================
local_interfaces = <your first IP> : <your next IP>
# Defaults to all if not mentioned.
daemon_smtp_ports = 25 : <second port>: <third port>: <fourth port> :
465 :<fifth port>
# defaults to 25 if not mentioned
tls_on_connect_ports = 465 : <next port> (( those ones will work
the old SSL protocol))
#defaults to none, AFAIK, but runs TLS on all.
#Note that there is no colon after the last entry.
tls_certificate = /usr/local/etc/exim/certs/<your cert filename>
#You did generate & install a cert?
tls_advertise_hosts = *
tls_remember_esmtp = yes
# These to get esmtps // esmtpsa TLS end-to-end with hosts that grok it
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
# there are variations on this
===============================================
Correct me if I'm wrong, but this help sounds like help for listeners,
Wrong.
This covers *both* other MTA's and MUA's.
and my trouble is in sending mail to a smarthost, not receiving from...
the smarthost I'm sending to is what it is, I can't make any changes
there...
With the above, any host that can and will grok TLS will use it, as it,
and you, will both 'advertise' it at EHLO/HELO, then negotiate whatever
works.
Including 'en claire' if the servers cannot agree on certs and protocol
rev levels.
There is a separate setting to make Exim 'TLS or no speak at all'.
and the reason SSL & TSL came up is because in my thunderbird
installation, SSL is what my SMTP is configured to, which makes it
communicate over port 465.
... or other port of your choice, in the case of T-Bird/Mozilla/Netscape.
Count the ports I left without actual numbers... Some support STARTTLS
/ en clair, others SSL/TLS-on-connect or no-deal.
The MUA-to-MTA issue is only superfically related to MTA-MTA handshakes,
but provided for in the config above.
An MUA does an EHLO/HELO equivalent as MTA's do, but many MUA are
broken, and in dfferent ways.
In the case of smtps / SSL / TLS-on-connect, the listener does not send
a banner first, nor does the caller expect one.
In the case of newer SSL3/TLS, the listener provides a banner when the
port is connected to.
The caller waits for this before commencing the EHLO/HELO.
A common problem is trying to get a pure-TLS MUA to connect to an
SSL/TLS-on-connect port.
It waits until 'time out' for a banner that will never come.
Likewise an older SSL-only MUA trying to connect to a newer TLS host.
It speaks without first being spoken to,
and get thrown off by the host for bad manners, AKA 'protocol violations'.
MTA's seldom have these problems, as they *have to* adhere to standards
and shift gears according to the standards.
HTH,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
