Re: exim4 as a smarthost with TLS
Guys, guess what ? I received my test mails !!! Reco, thank you very much, Sven also for your input. Rudu
Re: exim4 as a smarthost with TLS
Reco, Sven, thank you for your help, my next steps below : Le 31/07/2021 à 16:24, Reco a écrit : On Sat, Jul 31, 2021 at 04:03:43PM +0200, Sven Hartge wrote: Reco wrote: On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: Reco wrote: Seems straightforward enough. Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block similar to this: .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .endif Do not touch second block (starting with .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). Execute /usr/sbin/update-exim4.conf. Bounce exim4. Smarthost certificate verification should be disabled after this. Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros and put REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* in it? Could be. Will exim4.conf.localmacros apply to non-split exim config? It will *only* apply to a non-split config. Agreed. There's nothing wrong in trying REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* as far as I'm concerned. What I just did : # nano /etc/exim4/exim4.conf.template I commented out this : #.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS # REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * #.endif Then # update-exim4.conf # systemctl restart exim4.service # rm /var/spool/exim4/db/retry* # rm /var/spool/exim4/db/wait-remote_smtp_smarthost* # tail -f /var/log/exim4/mainlog Then in a user terminal : $ mail -s test my.n...@provider.fr The log : 2021-08-01 00:33:34 1m9xXy-00035e-PB <= my.n...@provider.fr U=rudu P=local S=463 2021-08-01 00:33:35 1m9xXy-00035e-PB H=smtpauth.provider.fr [185.204.xxx.xxx]: SMTP error from remote mail server after AUTH PLAIN : 454 4.7.0 Temporary authentication failure: Connection lost to authentication server 2021-08-01 00:33:35 1m9xXy-00035e-PB == my.n...@provider.fr R=smarthost T=remote_smtp_smarthost defer (0) H=smtpauth.provider.fr [185.204.xxx.xxx]: SMTP error from remote mail server after AUTH PLAIN : 454 4.7.0 Temporary authentication failure: Connection lost to authentication server Sorry to be so lost, but really I can't figure out what all this means ... But that's sort of new kind of mainlog from exim4 ... Rings some bell ? Thanks in advance Rudu
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 04:03:43PM +0200, Sven Hartge wrote: > Reco wrote: > > On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: > >> Reco wrote: > >> > >> > Seems straightforward enough. > >> > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block > >> > similar to this: > >> > >> > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > >> > .endif > >> > >> > Do not touch second block (starting with .ifdef > >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). > >> > >> > Execute /usr/sbin/update-exim4.conf. > >> > Bounce exim4. > >> > >> > Smarthost certificate verification should be disabled after this. > >> > >> Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros > >> and put > >> > >> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* > >> > >> in it? > > > Could be. Will exim4.conf.localmacros apply to non-split exim config? > > It will *only* apply to a non-split config. Agreed. There's nothing wrong in trying REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* as far as I'm concerned. Reco
Re: exim4 as a smarthost with TLS
Reco wrote: > On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: >> Reco wrote: >> >> > Seems straightforward enough. >> > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block >> > similar to this: >> >> > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * >> > .endif >> >> > Do not touch second block (starting with .ifdef >> > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). >> >> > Execute /usr/sbin/update-exim4.conf. >> > Bounce exim4. >> >> > Smarthost certificate verification should be disabled after this. >> >> Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros >> and put >> >> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* >> >> in it? > Could be. Will exim4.conf.localmacros apply to non-split exim config? It will *only* apply to a non-split config. For the split config you need to create a file like /etc/exim4/conf.d/main/000_localconfig instead. Documentation says: ,[ /usr/share/doc/exim4-base/README.Debian.gz |For split configuration, you can drop the local configuration file |anywhere in /etc/exim4/conf.d/main. Just make sure it gets read |before the macro is first used. 000_localmacros is a possible name, |guaranteeing first order. For a non-split configuration, |/etc/exim4/exim4.conf.localmacros gets read before |/etc/exim4/exim4.conf.template. ` S° -- Sigmentation fault. Core dumped.
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 02:45:34PM +0200, Sven Hartge wrote: > Reco wrote: > > > Seems straightforward enough. > > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block > > similar to this: > > > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > > .endif > > > Do not touch second block (starting with .ifdef > > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). > > > Execute /usr/sbin/update-exim4.conf. > > Bounce exim4. > > > Smarthost certificate verification should be disabled after this. > > Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros > and put > > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* > > in it? Could be. Will exim4.conf.localmacros apply to non-split exim config? Reco
Re: exim4 as a smarthost with TLS
Reco wrote: > Seems straightforward enough. > Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block > similar to this: > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > .endif > Do not touch second block (starting with .ifdef > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). > Execute /usr/sbin/update-exim4.conf. > Bounce exim4. > Smarthost certificate verification should be disabled after this. Wouldn't it be easier to just create /etc/exim4/exim4.conf.localmacros and put REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = !* in it? That way you don't need to edit the template (causing a merge prompt on the next exim4 update). This is also the way the README.Debian suggest doing this. S° -- Sigmentation fault. Core dumped.
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 01:03:18PM +0200, rudu wrote: > Le 31/07/2021 à 08:25, Reco a écrit : > > On Sat, Jul 31, 2021 at 09:21:02AM +0300, Reco wrote: > > > > > grep split /etc/exim4/update-exim4.conf.conf > > > > # grep split /etc/exim4/update-exim4.conf.conf > > > > dc_use_split_config='false' > > > And this part shows that to change this you have to edit files at > > > /etc/exim4/conf.d. > > Damn. I need to think more before I send e-mails. > > Of course this part shows that you lack a split exim4 config, so we'll > > have to edit /etc/exim4/exim4.conf.template. > > > > So, in addition to: > > > > grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d > # grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:.ifdef > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: > tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > /etc/exim4/conf.d/transport/10_exim4-config_transport-macros:.ifndef > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > /etc/exim4/conf.d/transport/10_exim4-config_transport-macros: > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > > > Please also post this: > > > > grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template > # grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template > .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * > .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS > tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS Seems straightforward enough. Edit /etc/exim4/exim4.conf.template, you'll need to comment out a block similar to this: .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .endif Do not touch second block (starting with .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS). Execute /usr/sbin/update-exim4.conf. Bounce exim4. Smarthost certificate verification should be disabled after this. If you ever need to reenable it - just uncomment the ifndef block, and execute /usr/sbin/update-exim4.conf once more. Reco
Re: exim4 as a smarthost with TLS
Hi Reco, Le 31/07/2021 à 08:25, Reco a écrit : On Sat, Jul 31, 2021 at 09:21:02AM +0300, Reco wrote: grep split /etc/exim4/update-exim4.conf.conf # grep split /etc/exim4/update-exim4.conf.conf dc_use_split_config='false' And this part shows that to change this you have to edit files at /etc/exim4/conf.d. Damn. I need to think more before I send e-mails. Of course this part shows that you lack a split exim4 config, so we'll have to edit /etc/exim4/exim4.conf.template. So, in addition to: grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d # grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d/transport/10_exim4-config_transport-macros:.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d/transport/10_exim4-config_transport-macros: REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * Please also post this: grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template # grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = * .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS Thank you Rudu
Re: exim4 as a smarthost with TLS
On Sat, Jul 31, 2021 at 09:21:02AM +0300, Reco wrote: > > > grep split /etc/exim4/update-exim4.conf.conf > > # grep split /etc/exim4/update-exim4.conf.conf > > dc_use_split_config='false' > > And this part shows that to change this you have to edit files at > /etc/exim4/conf.d. Damn. I need to think more before I send e-mails. Of course this part shows that you lack a split exim4 config, so we'll have to edit /etc/exim4/exim4.conf.template. So, in addition to: grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d Please also post this: grep REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/exim4.conf.template Reco
Re: exim4 as a smarthost with TLS
Hi.
On Sat, Jul 31, 2021 at 01:08:19AM +0200, rudu wrote:
> Thank you Reco, see below
>
> Le 30/07/2021 à 18:27, Reco a écrit :
> > On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote:
> > > Hi.
> > >
> > > On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote:
> > > > Still, a simple :
> > > > $ mail -s test my.n...@provider.fr
> > > > ... ends up to show in # tail -f /var/log/exim4/mainlog :
> > > > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu
> > > > P=local S=461
> > > > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost
> > > > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr
> > > > [185.204.xxx.xxx]: TLS
> > > > session: (certificate verification failed): certificate invalid
> > > Your exim certificate has nothing to do with this.
> > > But your smarthost certificate certainly does.
> > >
> > > Every time you try to send a mail, your exim checks certificate of
> > > remote MTA, and it does not like what it sees.
> > >
> > > > So, when I ran the command :
> > > > # bash /usr/share/doc/exim4-base/examples/exim-gencert
> > > > ... did I miss something that should be there ?
> > > It's possible. Please provide an output of:
> > >
> > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
> > >
> > > grep split exim4/update-exim4.conf.conf
> > A typo.
> >
> > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
> # grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
> .ifndef MAIN_TLS_VERIFY_CERTIFICATES
> MAIN_TLS_VERIFY_CERTIFICATES = ${if
> exists{/etc/ssl/certs/ca-certificates.crt}\
> tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
> .ifdef MAIN_TLS_VERIFY_HOSTS
> tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
> .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
> tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
> .ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
> REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
> .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
> tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
> .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
> tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
This part of exim4 config shows that it has certificate verification
enabled. And it does this for smarthosts too, which corresponds to
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *.
> > grep split /etc/exim4/update-exim4.conf.conf
> # grep split /etc/exim4/update-exim4.conf.conf
> dc_use_split_config='false'
And this part shows that to change this you have to edit files at
/etc/exim4/conf.d.
The only question left is - which particular macro defines
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS, because it certainly does not
happen here (exim4-daemon-heavy, buster, but I don't use "satellite"
configuration).
Therefore,
grep -R REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS /etc/exim4/conf.d
Reco
Re: exim4 as a smarthost with TLS
Thank you Reco, see below
Le 30/07/2021 à 18:27, Reco a écrit :
On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote:
Hi.
On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote:
Still, a simple :
$ mail -s test my.n...@provider.fr
... ends up to show in # tail -f /var/log/exim4/mainlog :
2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local S=461
2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost
T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]:
TLS
session: (certificate verification failed): certificate invalid
Your exim certificate has nothing to do with this.
But your smarthost certificate certainly does.
Every time you try to send a mail, your exim checks certificate of
remote MTA, and it does not like what it sees.
So, when I ran the command :
# bash /usr/share/doc/exim4-base/examples/exim-gencert
... did I miss something that should be there ?
It's possible. Please provide an output of:
grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
grep split exim4/update-exim4.conf.conf
A typo.
grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
# grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if
exists{/etc/ssl/certs/ca-certificates.crt}\
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
grep split /etc/exim4/update-exim4.conf.conf
# grep split /etc/exim4/update-exim4.conf.conf
dc_use_split_config='false'
I'm afraid I don't understand much of what you're asking me.
Hope that it gives you any hint about what's going wrong here.
Thank you again.
Rudu
Re: exim4 as a smarthost with TLS
On Fri, Jul 30, 2021 at 07:25:34PM +0300, Reco wrote: > Hi. > > On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: > > Still, a simple : > > $ mail -s test my.n...@provider.fr > > ... ends up to show in # tail -f /var/log/exim4/mainlog : > > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local > > S=461 > > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost > > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr > > [185.204.xxx.xxx]: TLS > > session: (certificate verification failed): certificate invalid > > Your exim certificate has nothing to do with this. > But your smarthost certificate certainly does. > > Every time you try to send a mail, your exim checks certificate of > remote MTA, and it does not like what it sees. > > > So, when I ran the command : > > # bash /usr/share/doc/exim4-base/examples/exim-gencert > > ... did I miss something that should be there ? > > It's possible. Please provide an output of: > > grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated > > grep split exim4/update-exim4.conf.conf A typo. grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated grep split /etc/exim4/update-exim4.conf.conf Reco
Re: exim4 as a smarthost with TLS
Hi. On Fri, Jul 30, 2021 at 03:35:28PM +0200, rudu wrote: > Still, a simple : > $ mail -s test my.n...@provider.fr > ... ends up to show in # tail -f /var/log/exim4/mainlog : > 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local > S=461 > 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost > T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]: > TLS > session: (certificate verification failed): certificate invalid Your exim certificate has nothing to do with this. But your smarthost certificate certainly does. Every time you try to send a mail, your exim checks certificate of remote MTA, and it does not like what it sees. > So, when I ran the command : > # bash /usr/share/doc/exim4-base/examples/exim-gencert > ... did I miss something that should be there ? It's possible. Please provide an output of: grep -i 'tls_.*verify' /var/lib/exim4/config.autogenerated grep split exim4/update-exim4.conf.conf Reco
exim4 as a smarthost with TLS
Dear Debian users, I would greatly appreciate some help here, as I'm trying to tighten up my configuration of exim4 in a smarthost way. My desktop runs Bullseye and performs a few cron tasks who used to send me by mail the notifications of their successful executions (or not). I stopped receiving these notifications around late April this year. But my initial configuration of exim4 was way back, I suppose I just did something like this at the time : https://wiki.debian.org/Exim#Smarthost_with_Authentication My e-mail service provider seems not to accept this anymore so I went to this chapter : https://wiki.debian.org/Exim#TLS_and_authentication ... and followed each step except the "Dual stack RSA/ECDSA configuration" which seemed unnecessary. Still, a simple : $ mail -s test my.n...@provider.fr ... ends up to show in # tail -f /var/log/exim4/mainlog : 2021-07-30 10:58:09 1m9OLJ-000cAf-Ss <= my.n...@provider.fr U=rudu P=local S=461 2021-07-30 10:58:10 1m9OLJ-000cAf-Ss == my.n...@provider.fr R=smarthost T=remote_smtp_smarthost defer (-37) H=smtpauth.provider.fr [185.204.xxx.xxx]: TLS session: (certificate verification failed): certificate invalid So, when I ran the command : # bash /usr/share/doc/exim4-base/examples/exim-gencert ... did I miss something that should be there ? Rudu
