Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 06/04/2023 19:53, Jeremy Harris via Exim-users wrote: On 05/04/2023 17:49, Peter via Exim-users wrote: 19:40:02 9597 TFO mode sendto, no data: EINPROGRESS 19:40:02 9597 connected 19:40:02 9597 ╭considering: $primary_hostname 19:40:02 9597 ├──expanding: $primary_hostname 19:40:02 9597 ╰─result: dalton.invalid Something tells me you didn't wait long enough (which could be, like, ten minutes if it's this end exim timing out waiting for the target system to speak). Actually, I'm not convinced that your transport actually has "protocol = smtps". The TLS client-side startup should be visible pretty soon after that "sendto" (which initiates the TCP connection). If you look backward in that file there should be a line like "remote delivery to j...@test.ex with transport=send_to_server1" - take that transport name off the end and check it's the transport in your config that you are expecting. Then do # exim -bP transport to dump the actual config (at least, from a freshly loaded config... you *did* restart exim after any config edits?) -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On Thu, 30 Mar 2023, Peter via Exim-users wrote: Hi, Debian 11 here with exim4 4.94.2-7. On the localhost, the MUA needs a non-encrypted connection on port 25 to exim. Exim to remote smarthost is TLS-on-connect with AUTH PLAIN. The connection was verified with this command. $ openssl s_client -crlf -connect mail.easthope.ca:465 How should this be configured? Ah. I have finally got my head around what you are attempting to do. If you need exim to send mail to port 465 on the "smarthost" you cannot just tell it to send the mail ... that would go to port 25 (and use starttls). You need exim to pretend to be an MUA/MSA. I'm not sure anyone else in the discussion has taken in that point, so I'm sending this now, while I reead the spec and consider how it might be done, though my first thought is that you need a transport especially for this host with options to force the connection to port 465 and tls-on-connect. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re (2): Re (y): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Slavko, Thanks for the reply. From: Slavko via Exim-users Date: Thu, 6 Apr 2023 20:10:09 +0200 When someone sends message via command line, ... For testing I can use a command such as "exim -bp" or, as Jeremy suggested, "exim -d+all -odf per...@externaldomsin.com ...". In normal ordinary use, a message is submitted by a message submission agent. Ie. a program which runs on localhost and submits a message to exim on localhost. Exim has the task of sending the message to the remote smarthost. From what you have said, root should be able to submit a message via the MSA just as well as J. Doe. The account using the MSA is no concern of exim. Correct? So, back to the earlier puzzle: why does the output from "exim -d+all -odf ..." appear to stop without a reasonable conclusion? Or the original conundrum: how should exim be configured for non-TLS locally and TLS to smarthost? Thanks, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 05/04/2023 17:49, Peter via Exim-users wrote: 19:40:02 9597 TFO mode sendto, no data: EINPROGRESS 19:40:02 9597 connected 19:40:02 9597 ╭considering: $primary_hostname 19:40:02 9597 ├──expanding: $primary_hostname 19:40:02 9597 ╰─result: dalton.invalid Something tells me you didn't wait long enough (which could be, like, ten minutes if it's this end exim timing out waiting for the target system to speak). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (n): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 06/04/2023 18:30, Peter via Exim-users wrote: I should refrain from attempting to send messages as root. Should submit as ordinary user. Correct? Nope. The "don't run as root" thing doesn't affect deliveries done via smtp, only deliveries to file. Deliveries to file have to be done as the owner of the recipient account, so as to have permission to modify their files. But we want to avoid running as root (and sometimes some other privileged users too, which is why it's configurable) because doing so is an attack surface just begging to be scratched. Your deliver-to-smartmost is not that. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (y): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Ahoj, Dňa Thu, 06 Apr 2023 10:30:53 -0700 Peter via Exim-users napísal: > HYPOTHESIZED CONCLUSION > I should refrain from attempting to send messages as root. Should > submit as ordinary user. Correct? AFAIK no. Exim has some user defined to run under it, but that user is used only for daemon (accepting TCP connections & queue runner). But when exim delivers message or is invoked from command line, it runs as particular user, either as target or calling user. In other words, if someone sends message to local user and local delivery happens, exim runs delivery proces as that users. If that message is for root, it will not run delivery with root privileges. When someone sends message via command line, exim runs as that user, but when root sends message, exim will not run with root privileges. That has no other means, it is not about who can be sender nor recipient (course one still can limit that in particular ACL). It is only about process's user, to prevent superuser's privileges for exim. regards -- Slavko https://www.slavino.sk pgp4pVjIz3kzf.pgp Description: Digitálny podpis OpenPGP -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re (n): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
From: Jeremy Harris via Exim-users Date: Thu, 6 Apr 2023 17:49:27 +0100 "Delivery" meaning the specific phase of a message going outward from exim, as opposed to being accepted by exim. Consistent with my observation that messages from root are accepted into the queue but not sent to the smarthost. HYPOTHESIZED CONCLUSION I should refrain from attempting to send messages as root. Should submit as ordinary user. Correct? Can the limitation be circumvented without sacrificing security? AIR the user acts as root in Puppy Linux. How is email submitted there? Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 06/04/2023 17:28, Peter via Exim-users wrote: What is the reality? "Delivery" meaning the specific phase of a message going outward from exim, as opposed to being accepted by exim. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
From: Jeremy Harris via Exim-users Date: Sat, 1 Apr 2023 17:15:25 +0100 Exim has a debug mode. ... You will see the processing that exim does, and should be able to infer at what point it diverges from your needs. Thanks. I should have tried debug before asking. Debug alerted me me to add lines in /etc/email-addresses. Appears this debug run is incomplete but I don't recognize a clue. root@dalton:~# tail -n 16 eximdebug.txt 19:40:02 9597 closed hints database and lockfile 19:40:02 9597 no host retry record 19:40:02 9597 no message retry record 19:40:02 9597 easthope.ca [158.69.159.172]:465 retry-status = usable 19:40:02 9597 158.69.159.172 in serialize_hosts? no (option unset) 19:40:02 9597 delivering 1pjt45-0002Uk-Jt to easthope.ca [158.69.159.172] (pe...@easthope.ca) 19:40:02 9597 set_process_info: 9597 delivering 1pjt45-0002Uk-Jt to easthope.ca [158.69.159.172]:465 (pe...@easthope.ca) 19:40:02 9597 158.69.159.172 in hosts_require_dane? no (option unset) 19:40:02 9597 Transport port=25 replaced by host-specific port=465 19:40:02 9597 158.69.159.172 in hosts_pipe_connect? no (option unset) 19:40:02 9597 Connecting to easthope.ca [158.69.159.172]:465 ... 158.69.159.172 in hosts_try_fastopen? yes (matched "*") 19:40:02 9597 TFO mode sendto, no data: EINPROGRESS 19:40:02 9597 connected 19:40:02 9597 ╭considering: $primary_hostname 19:40:02 9597 ├──expanding: $primary_hostname 19:40:02 9597 ╰─result: dalton.invalid root@dalton:~# Ref. https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html "FIXED_NEVER_USERS can be set to a colon-separated list of users that are never to be used for any deliveries. This is like the never_users runtime option, but it cannot be overridden; the runtime option adds additional users to the list. The default setting is “root”; this prevents a non-root user who is permitted to modify the runtime file from using Exim as a way to get root." Meaning that root is not allowed to send email? If so, the "problem" is simply me attempting something prohibited; but prohibiting the administrator from sending email seems unrealistic. What is the reality? Thx, ... P. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/