Re: exim4 as a smarthost with TLS
Guys, guess what ? I received my test mails !!! Reco, thank you very much, Sven also for your input. Rudu
Re: exim4 as a smarthost with TLS
Reco, Sven, thank you for your help, my next steps below : Le 31/07/2021 à 16:24, Reco a écrit : On Sat, Jul 31, 2021 at 04:03:43PM +0200, Sven Hartge wrote: Reco wrote: On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: Reco wrote: Seems straightforward enough. Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block similar to this: .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .endif Do not touch second block (starting with .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). Execute /usr/sbin/update-exim4.conf. Bounce exim4. Smarthost certificate verification should be disabled after this. Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros and put REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* in it? Could be. Will exim4.conf.localmacros apply to non-split exim config? It will *only* apply to a non-split config. Agreed. There's nothing wrong in trying REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* as far as I'm concerned. What I just did : # nano /etc/exim4/exim4.conf.template I commented out this : #.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS # REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * #.endif Then # update-exim4.conf # systemctl restart exim4.service # rm /var/spool/exim4/db/retry* # rm /var/spool/exim4/db/wait-remote_smtp_smarthost* # tail -f /var/log/exim4/mainlog Then in a user terminal : $ mail -s test my.n...@provider.fr The log : 2021-08-01 00:33:34 1m9xXy-00035e-PB <= my.n...@provider.fr U=rudu P=local S=463 2021-08-01 00:33:35 1m9xXy-00035e-PB H=smtpauth.provider.fr [185.204.xxx.xxx]: SMTP error from remote mail server after AUTH PLAIN : 454 4.7.0 Temporary authentication failure: Connection lost to authentication server 2021-08-01 00:33:35 1m9xXy-00035e-PB == my.n...@provider.fr R=smarthost T=remote_smtp_smarthost defer (0) H=smtpauth.provider.fr [185.204.xxx.xxx]: SMTP error from remote mail server after AUTH PLAIN : 454 4.7.0 Temporary authentication failure: Connection lost to authentication server Sorry to be so lost, but really I can't figure out what all this means ... But that's sort of new kind of mainlog from exim4 ... Rings some bell ? Thanks in advance Rudu
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 04:03:43PM +0200, Sven Hartge wrote: > Reco wrote: > > On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: > >> Reco wrote: > >> > >> > Seems straightforward enough. > >> > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block > >> > similar to this: > >> > >> > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > >> > .endif > >> > >> > Do not touch second block (starting with .ifdef > >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). > >> > >> > Execute /usr/sbin/update-exim4.conf. > >> > Bounce exim4. > >> > >> > Smarthost certificate verification should be disabled after this. > >> > >> Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros > >> and put > >> > >> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* > >> > >> in it? > > > Could be. Will exim4.conf.localmacros apply to non-split exim config? > > It will *only* apply to a non-split config. Agreed. There's nothing wrong in trying REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* as far as I'm concerned. Reco
Re: exim4 as a smarthost with TLS
Reco wrote: > On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: >> Reco wrote: >> >> > Seems straightforward enough. >> > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block >> > similar to this: >> >> > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * >> > .endif >> >> > Do not touch second block (starting with .ifdef >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). >> >> > Execute /usr/sbin/update-exim4.conf. >> > Bounce exim4. >> >> > Smarthost certificate verification should be disabled after this. >> >> Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros >> and put >> >> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* >> >> in it? > Could be. Will exim4.conf.localmacros apply to non-split exim config? It will *only* apply to a non-split config. For the split config you need to create a file like /etc/exim4/conf.d/main/000_localconfig instead. Documentation says: ,[ /usr/share/doc/exim4-base/README.Debian.gz |For split configuration, you can drop the local configuration file |anywhere in /etc/exim4/conf.d/main. Just make sure it gets read |before the macro is first used. 000_localmacros is a possible name, |guaranteeing first order. For a non-split configuration, |/etc/exim4/exim4.conf.localmacros gets read before |/etc/exim4/exim4.conf.template. ` S° -- Sigmentation fault. Core dumped.
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: > Reco wrote: > > > Seems straightforward enough. > > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block > > similar to this: > > > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > > .endif > > > Do not touch second block (starting with .ifdef > > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). > > > Execute /usr/sbin/update-exim4.conf. > > Bounce exim4. > > > Smarthost certificate verification should be disabled after this. > > Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros > and put > > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* > > in it? Could be. Will exim4.conf.localmacros apply to non-split exim config? Reco
Re: exim4 as a smarthost with TLS
Reco wrote: > Seems straightforward enough. > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block > similar to this: > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > .endif > Do not touch second block (starting with .ifdef > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). > Execute /usr/sbin/update-exim4.conf. > Bounce exim4. > Smarthost certificate verification should be disabled after this. Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros and put REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* in it? That way you don't need to edit the template (causing a merge prompt on the next exim4 update). This is also the way the README.Debian suggest doing this. S° -- Sigmentation fault. Core dumped.
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 01:03:18PM +0200, rudu wrote: > Le 31/07/2021 à 08:25, Reco a écrit : > > On Sat, Jul 31, 2021 at 09:21:02AM +0300, Reco wrote: > > > > > grep split /etc/exim4/update-exim4.conf.conf > > > > # grep split /etc/exim4/update-exim4.conf.conf > > > > dc_use_split_config='false' > > > And this part shows that to change this you have to edit files at > > > /etc/exim4/conf.d. > > Damn. I need to think more before I send e-mails. > > Of course this part shows that you lack a split exim4 config, so we'll > > have to edit /etc/exim4/exim4.conf.template. > > > > So, in addition to: > > > > grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d > # grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:.ifdef > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: > tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > /etc/exim4/conf.d/transport/10_exim4-config_transport-macros:.ifndef > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > /etc/exim4/conf.d/transport/10_exim4-config_transport-macros: > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > > > Please also post this: > > > > grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template > # grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS Seems straightforward enough. Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block similar to this: .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .endif Do not touch second block (starting with .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). Execute /usr/sbin/update-exim4.conf. Bounce exim4. Smarthost certificate verification should be disabled after this. If you ever need to reenable it - just uncomment the ifndef block, and execute /usr/sbin/update-exim4.conf once more. Reco
Re: exim4 as a smarthost with TLS
Hi Reco, Le 31/07/2021 à 08:25, Reco a écrit : On Sat, Jul 31, 2021 at 09:21:02AM +0300, Reco wrote: grep split /etc/exim4/update-exim4.conf.conf # grep split /etc/exim4/update-exim4.conf.conf dc_use_split_config='false' And this part shows that to change this you have to edit files at /etc/exim4/conf.d. Damn. I need to think more before I send e-mails. Of course this part shows that you lack a split exim4 config, so we'll have to edit /etc/exim4/exim4.conf.template. So, in addition to: grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d # grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d/transport/10_exim4-config_transport-macros:.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d/transport/10_exim4-config_transport-macros: REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * Please also post this: grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template # grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS Thank you Rudu
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 09:21:02AM +0300, Reco wrote: > > > grep split /etc/exim4/update-exim4.conf.conf > > # grep split /etc/exim4/update-exim4.conf.conf > > dc_use_split_config='false' > > And this part shows that to change this you have to edit files at > /etc/exim4/conf.d. Damn. I need to think more before I send e-mails. Of course this part shows that you lack a split exim4 config, so we'll have to edit /etc/exim4/exim4.conf.template. So, in addition to: grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d Please also post this: grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template Reco
Re: exim4 as a smarthost with TLS
Hi. On Sat, Jul 31, 2021 at 01:08:19AM +0200, rudu wrote: > Thank you Reco, see below > > Le 30/07/2021 à 18:27, Reco a écrit : > > On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote: > > > Hi. > > > > > > On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: > > > > Still, a simple : > > > > $ mail -s test my.n...@provider.fr > > > > ... ends up to show in # tail -f /var/log/exim4/mainlog : > > > > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu > > > > P=local S=461 > > > > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost > > > > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr > > > > [185.204.xxx.xxx]: TLS > > > > session: (certificate verification failed): certificate invalid > > > Your exim certificate has nothing to do with this. > > > But your smarthost certificate certainly does. > > > > > > Every time you try to send a mail, your exim checks certificate of > > > remote MTA, and it does not like what it sees. > > > > > > > So, when I ran the command : > > > > # bash /usr/share/doc/exim4-base/examples/exim-gencert > > > > ... did I miss something that should be there ? > > > It's possible. Please provide an output of: > > > > > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > > > > > > grep split exim4/update-exim4.conf.conf > > A typo. > > > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > # grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > .ifndef MAIN_TLS_VERIFY_CERTIFICATES > MAIN_TLS_VERIFY_CERTIFICATES = ${if > exists{/etc/ssl/certs/ca-certificates.crt}\ > tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES > .ifdef MAIN_TLS_VERIFY_HOSTS > tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS > .ifdef MAIN_TLS_TRY_VERIFY_HOSTS > tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES > tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES > .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS This part of exim4 config shows that it has certificate verification enabled. And it does this for smarthosts too, which corresponds to REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *. > > grep split /etc/exim4/update-exim4.conf.conf > # grep split /etc/exim4/update-exim4.conf.conf > dc_use_split_config='false' And this part shows that to change this you have to edit files at /etc/exim4/conf.d. The only question left is - which particular macro defines REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS, because it certainly does not happen here (exim4-daemon-heavy, buster, but I don't use "satellite" configuration). Therefore, grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d Reco
Re: exim4 as a smarthost with TLS
Thank you Reco, see below Le 30/07/2021 à 18:27, Reco a écrit : On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote: Hi. On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: Still, a simple : $ mail -s test my.n...@provider.fr ... ends up to show in # tail -f /var/log/exim4/mainlog : 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local S=461 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]: TLS session: (certificate verification failed): certificate invalid Your exim certificate has nothing to do with this. But your smarthost certificate certainly does. Every time you try to send a mail, your exim checks certificate of remote MTA, and it does not like what it sees. So, when I ran the command : # bash /usr/share/doc/exim4-base/examples/exim-gencert ... did I miss something that should be there ? It's possible. Please provide an output of: grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated grep split exim4/update-exim4.conf.conf A typo. grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated # grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated .ifndef MAIN_TLS_VERIFY_CERTIFICATES MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES .ifdef MAIN_TLS_VERIFY_HOSTS tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS .ifdef MAIN_TLS_TRY_VERIFY_HOSTS tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS grep split /etc/exim4/update-exim4.conf.conf # grep split /etc/exim4/update-exim4.conf.conf dc_use_split_config='false' I'm afraid I don't understand much of what you're asking me. Hope that it gives you any hint about what's going wrong here. Thank you again. Rudu
Re: exim4 as a smarthost with TLS
On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote: > Hi. > > On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: > > Still, a simple : > > $ mail -s test my.n...@provider.fr > > ... ends up to show in # tail -f /var/log/exim4/mainlog : > > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local > > S=461 > > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost > > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr > > [185.204.xxx.xxx]: TLS > > session: (certificate verification failed): certificate invalid > > Your exim certificate has nothing to do with this. > But your smarthost certificate certainly does. > > Every time you try to send a mail, your exim checks certificate of > remote MTA, and it does not like what it sees. > > > So, when I ran the command : > > # bash /usr/share/doc/exim4-base/examples/exim-gencert > > ... did I miss something that should be there ? > > It's possible. Please provide an output of: > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > > grep split exim4/update-exim4.conf.conf A typo. grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated grep split /etc/exim4/update-exim4.conf.conf Reco
Re: exim4 as a smarthost with TLS
Hi. On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: > Still, a simple : > $ mail -s test my.n...@provider.fr > ... ends up to show in # tail -f /var/log/exim4/mainlog : > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local > S=461 > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]: > TLS > session: (certificate verification failed): certificate invalid Your exim certificate has nothing to do with this. But your smarthost certificate certainly does. Every time you try to send a mail, your exim checks certificate of remote MTA, and it does not like what it sees. > So, when I ran the command : > # bash /usr/share/doc/exim4-base/examples/exim-gencert > ... did I miss something that should be there ? It's possible. Please provide an output of: grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated grep split exim4/update-exim4.conf.conf Reco
exim4 as a smarthost with TLS
Dear Debian users, I would greatly appreciate some help here, as I'm trying to tighten up my configuration of exim4 in a smarthost way. My desktop runs Bullseye and performs a few cron tasks who used to send me by mail the notifications of their successful executions (or not). I stopped receiving these notifications around late April this year. But my initial configuration of exim4 was way back, I suppose I just did something like this at the time : https://wiki.debian.org/Exim#Smarthost_with_Authentication My e-mail service provider seems not to accept this anymore so I went to this chapter : https://wiki.debian.org/Exim#TLS_and_authentication ... and followed each step except the "Dual stack RSA/ECDSA configuration" which seemed unnecessary. Still, a simple : $ mail -s test my.n...@provider.fr ... ends up to show in # tail -f /var/log/exim4/mainlog : 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local S=461 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]: TLS session: (certificate verification failed): certificate invalid So, when I ran the command : # bash /usr/share/doc/exim4-base/examples/exim-gencert ... did I miss something that should be there ? Rudu