Re: [exim] Multiple domains using certificates and keys
On 2022-03-23, The Doctor via Exim-users wrote:
>
> Question:
>
> In my configuration file I have
>
> tls_certificate = ${if exists\
>{/path/to/2021/${tls_sni}/chain.cert}\
> {/path/to/2022/${tls_sni}/chain.cert}\
>{/path/to/default//chain.cert}\
> }
> tls_privatekey = ${if exists\
> {path/to/old/${tls_sni}/key}\
>{/path/to/current/${tls_sni}/key}\
> {/path/to/defalut/key}\
> }
>
> Am I missing something?
Tainting I guess. ${tls_sni} is a value which may contain any bytes
whatsoever, and can be, and has been, abused by attackers, thus exim
doesn't trust it in a filesystem context.
So even though you know the names of the files you need
to verify them against a home-truth. something like:
tls_privatekey = ${lookup {$tls_sni} dsearch,ret=full \
{/path/to/current/}{$value/key}{/path/to/default/key}}
This assumes that the file "key" exists if the subdirectory $tls_sni
is found, if you want to be paranoid you can replace $value/key with
an if-exists check using "$value/key" instead of
"path/to/current/${tls_sni}/key"
I'm a fan of putting the key, certificate, and chain into a single
file, as this reduces the number of cofiguration settings needed. then
you could have file-per-domain in a single directory. and replace
"/key" with ".allcert" or similatr above (not needing the if-exists test at all)
tls_privatekey = ${lookup {$tls_sni.allcert} dsearch,ret=full \
{/path/to/current/}{$value}{/path/to/default.allcert}}
Also you misspelled default one time, and 2021 vs 2022, I'm
guessing transcription errosrs, but you did ask.
Also double slashes but I think that is harmless in Posix.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 2 hours delay (gnutls_handshake): timed out: delivering unencrypted to
On 22/03/2022 11:00, tt-admin via Exim-users wrote: Exim version 4.90_1 #4 built 30-Apr-2021 14:15:04 Mmmm, an ancient Exim release number but a build "only" 11 months old. That's what you get for running an LTS distro, I suppose. Difficult to guess exactly what fixes from the original 4.90 have been picked up. There was one, involving Exim's notion of time slipping, and screwing up delays, which comes to mind given your two hours... It bit most spectacularly after a suspend/resume. I'm not sure if a system time adjustment operation would have dome the same, but I'd not be surprised. A brief search though git history for "time" throws up Bug 2615. (oh yes... source now comments "the Linux non-Posix behaviour"). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] 2 hours delay (gnutls_handshake): timed out: delivering unencrypted to
Hi all, got a sending e-mail relay here, Ubuntu 18.04 LTS. About 22k e-mails sending volume per day. There are two receiving e-mail servers that are experiencing delays (~2 hours) when receiving e-mails from us. This does not happen for every e-mail we're sending tot them, but for some. Log if delay occurs: 2022-03-21 08:00:57.876 [7442] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:05:58.110 [10388] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:10:59.560 [11462] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:20:18.369 [13434] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:20:57.808 [13476] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:30:21.004 [14859] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:30:57.813 [14899] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:40:18.196 [16573] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:40:57.817 [16679] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:50:18.556 [20921] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 08:50:58.437 [20990] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:00:19.873 [27095] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:00:58.842 [27188] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:10:18.848 [32597] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:10:57.828 [316] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:20:58.127 [4368] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:22:29.533 [5172] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:30:18.840 [6937] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:30:58.353 [6984] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:40:18.589 [10653] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:43:08.577 [12567] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:50:19.260 [16095] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:53:08.644 [16636] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 09:58:07.653 [17655] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 10:00:57.843 [17993] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 10:08:09.749 [20352] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 10:10:57.832 [20889] 1nWC1t-0001kn-G2 Spool file is locked (another process is handling this message) 2022-03-21 10:13:04.657 [6774] 1nWC1t-0001kn-G2 TLS session: (gnutls_handshake): timed out: delivering unencrypted to H=..(not in hosts_require_tls) The offending hosts are not controlled by us, but i am in contact with the admin (Symantec Messaging Gateway in use). They are only having this kind of trouble when they receive from us, an we are only having trouble when sending to them. They already tried different versions of their Symantec Gateway. exim -bP smtp_receive_timeout is not set, so should be 5 minutes. There was one occurence to another domain, but there it only took 5 minutes for the timeout to fire: 2022-01-12 18:09:23.266 [22623] 1n7h7j-0005st-8A <= P=esmtps X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no S=13624 2022-01-12 18:10:50.064 [22805] 1n7h7j-0005st-8A Spool file is locked (another process is handling this message) 2022-01-12 18:14:23.442 [22647] 1n7h7j-0005st-8A TLS session: (gnutls_handshake): timed out: delivering unencrypted to H= (not in hosts_require_tls) Exim version 4.90_1 #4 built 30-Apr-2021 14:15:04 Copyright (c) University of Cambridge, 1995 - 2017 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed
Re: [exim] Multiple domains using certificates and keys
On 23/03/2022 17:50, The Doctor via Exim-users wrote: Am I missing something? You didn't say what you are trying to do. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Multiple domains using certificates and keys
Question:
In my configuration file I have
tls_certificate = ${if exists\
{/path/to/2021/${tls_sni}/chain.cert}\
{/path/to/2022/${tls_sni}/chain.cert}\
{/path/to/default//chain.cert}\
}
tls_privatekey = ${if exists\
{path/to/old/${tls_sni}/key}\
{/path/to/current/${tls_sni}/key}\
{/path/to/defalut/key}\
}
Am I missing something?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Who has looked for what isn't there? -unknown Beware https://mindspring.com
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to setup a specific route for a specific SENDER address.
On 03/23/2022 12:57 am, Evgeniy Berdnikov via Exim-users wrote:
On Tue, Mar 22, 2022 at 10:18:11PM -0500, Larry Rosenman via Exim-users
wrote:
this failed with:
<21>1 2022-03-22T22:10:43.422806-05:00 thebighonker.lerctr.org exim
72957 -
- H=mail-oa1-f43.google.com [209.85.160.43]:33104 I=[192.147.25.65]:25
sender v
erify defer for : failed
to
expand "${lookup ${lc:${sender_address}} lsearch
{/usr/local/etc/exim/freebsd_send
}}": missing lookup type
Ideas?
Lookup key must be in braces. Try {${lc:$sender_address}} and
use "exim -be ..." to verify.
For lsearch put the ":" delimiter bitween key and value in map file.
--
Eugene Berdnikov
Thank You. This is what I wound up with:
Router (at the top of the list):
freebsd_send:
driver = manualroute
domains = !+local_domains
transport = freebsd_smtp
route_data = ${lookup {${lc:$sender_address}} lsearch
{/usr/local/etc/exim/freebsd_send}}
Transport:
freebsd_smtp:
driver = smtp
tls_certificate=/home/ler/letsencrypt-home/*.lerctr.org/fullchain.cer
tls_privatekey=/home/ler/letsencrypt-home/*.lerctr.org/*.lerctr.org.key
tls_require_ciphers =
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:E
ECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!
eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS
dkim_domain = lerctr.org
dkim_selector = ler2019
dkim_private_key= /usr/local/etc/exim/dk/ler2019.rsa.private
dnssec_request_domains = *
arc_sign = lerctr.org : ler2019 :
/usr/local/etc/exim/dk/ler2019.rsa.private : timestamps
hosts_try_dane = *
hosts_require_auth = smtp.freebsd.org
Authenticators:
fixed_plain:
driver = plaintext
public_name = PLAIN
client_send = ^ler/mail^
freebsd_send file:
❯ cat freebsd_send
l...@freebsd.org:smtp.freebsd.org::587
Works great!
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to setup a specific route for a specific SENDER address.
On Tue, Mar 22, 2022 at 10:18:11PM -0500, Larry Rosenman via Exim-users wrote:
> this failed with:
> <21>1 2022-03-22T22:10:43.422806-05:00 thebighonker.lerctr.org exim 72957 -
> - H=mail-oa1-f43.google.com [209.85.160.43]:33104 I=[192.147.25.65]:25
> sender v
> erify defer for : failed to
> expand "${lookup ${lc:${sender_address}} lsearch
> {/usr/local/etc/exim/freebsd_send
> }}": missing lookup type
>
> Ideas?
Lookup key must be in braces. Try {${lc:$sender_address}} and
use "exim -be ..." to verify.
For lsearch put the ":" delimiter bitween key and value in map file.
--
Eugene Berdnikov
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
