Re: [exim] Setting up exim to relay through ISP's email server
Self-followup to correct an omission.
On 2008-06-20 at 20:46 -0700, Phil Pennock wrote:
begin transports
smarthost_smtp:
driver = smtp
port = ${extract{port}{$address_data}{$value}{\
${extract{submission}{$address_data}{587}{25}}\
}}
hosts_require_tls = ${extract{tls}{$address_data}{*}{+tls_required_to}}
hosts_require_auth =
${extract{user}{$address_data}{*}{+authenticate_required_to}}
helo_data = ${extract{helo}{$address_data}{$value}{MYHELO_TO_SMARTHOST}}
In answering a mail from M G Berberich, I realised that I wasn't setting
any client-side server verification in my own laptop configuration.
To do verification (ie, make the TLS worthwhile) you need a collection
of the CA certificates which signed the certificates that you care about
(or signed intermediate CAs, etc). For GnuTLS, these need to be all in
one file, for OpenSSL they can either be in a file or in a directory
(which has the hash-certificate symlinks typically generated by
c_rehash). For me, using OpenSSL, this means /etc/ssl/certs/ which has
the usual CAs and my own private CA.
What I've chosen to do is to require verification on smarthost_smtp but
not on remote_smtp. So direct-to-arbitrary hosts have no more
protection than they ever had, against someone who can hijack a TCP
session or fake DNS, but do have protection against passive
eavesdropping.
For connections to smarthosts, there is assumed to be a trust
relationship present, and the list of smarthosts is small enough that I
can verify that I have the certificates required. So suddenly there's
more security for outbound email in the usual case.
So this is added to smarthost_smtp above:
# For an explicitly configured smarthost, where we've configured tls, it's
# reasonable to require that we have the TLS certs for verification, too.
tls_verify_certificates = ${extract{tls}{$address_data}{/etc/ssl/certs}{}}
Oh, note also that the use of submission=yes and tls=yes in the
smarthosts file is perhaps misleading. What matters is that
'submission' or 'tls' be present, at all. tls=no will be treated the
same as tls=yes. The only way around this would be to make the
expansion string much more complicated.
You can replace =yes with = if that helps keep it clearer that
presence is what matters, not the value.
A full-fledged feature offering, rather than a private use thing, would
allow tls=no to actively disable even trying TLS, since not specifying
tls at all in this smarthosts config just means that TLS is not
required, not that it will not be used. This is left as an exercise to
the reader.
-Phil
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting up exim to relay through ISP's email server
On 2008-06-20 at 00:07 -0400, Eli C wrote:
Do you have an example of this?
I have a rather complex setup for my laptop. It does this and more.
Details below. Used on MacOS.
And thanks for the tip about checking for TLS if using auth PLAIN. Does
$tls_cipher count SSL connections as well? A disturbing number of
servers use PLAIN over unencrypted SMTP...
AFAIK, $tls_cipher counts SSL connections, but I don't think Exim
supports SSL-on-connect outbound. That is strictly for legacy client
support, Exim supports it for inbound connections only. I think.
Okay, my laptop. This does not highlight how easy Exim can be to
configure for many scenarios (once you know _how_, which is always the
sticking point); rather, it's a glimpse of the power you get from the
rather complete string expansion language. And a glimpse of how nuts I
am.
There will be various macros and hostlists which you define for
yourself. There are two special external files which are the heart of
it. smarthosts and client-passwords. Example here uses Gmail
because that's what I have configured (various disclaimers apply).
Gmail's delivery folks aren't entirely enthralled with people routing
mail through Gmail and sending bounces, risking mail-loops, etc, so if
you mismanage this and damage your account's spam reputation score, on
your head be it.
smarthosts:
8 cut here 8--
gmail.com: host=smtp.gmail.comsubmission=yes tls=yes [EMAIL PROTECTED]
googlemail.com: host=smtp.gmail.comsubmission=yes tls=yes [EMAIL PROTECTED]
*: host=mail.example.org submission=yes tls=yes
8 cut here 8--
For the client-passwords file, I don't keep that in source-code
control and I'm not on the laptop right now, so I might be making a
mistake, but I believe it goes something like:
8 cut here 8--
[EMAIL PROTECTED]: password=12345678
mail.example.org: user=fred password=sekret
8 cut here 8--
Note how when a user is specified in smarthosts, the client-passwords
file is keyed by that, otherwise it's keyed by the smarthost (or parent
domains thereof).
Routers first; the first Router lets me declare for which domains I'll
send direct to MX, by creating a file named for the domain in a special
directory. The second Router verifies DNS so that I don't pass invalid
domains on and damage my reputation with remote systems; this does mean
that I need to be online whilst submitting email to Exim though.
8 cut here 8--
begin routers
direct_to_mx:
driver = dnslookup
domains = partial()dsearch;DIRECT_OUT_DIR
transport = remote_smtp
ignore_target_hosts = +special_ipv4_bad
same_domain_copy_routing
no_more
remote_dns_verify:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = +special_ipv4_bad
same_domain_copy_routing
verify_only
no_more
smarthost:
driver = manualroute
domains = ! +local_domains
transport = smarthost_smtp
ignore_target_hosts = +special_ipv4_bad
route_data =
${extract{host}{${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts
address_data = ${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts}}
same_domain_copy_routing
no_verify
no_more
8 cut here 8--
The route_data extracts the 'host' field from the smarthosts file;
address_data associates the entire line from smarthosts with the
address, for later extraction.
8 cut here 8--
begin transports
remote_smtp:
driver = smtp
.ifndef TLS_ALLOWED_OUTBOUND
hosts_avoid_tls = *
.endif
hosts_require_tls = +tls_required_to
hosts_try_auth = +authenticate_attempt_to
smarthost_smtp:
driver = smtp
port = ${extract{port}{$address_data}{$value}{\
${extract{submission}{$address_data}{587}{25}}\
}}
hosts_require_tls = ${extract{tls}{$address_data}{*}{+tls_required_to}}
hosts_require_auth =
${extract{user}{$address_data}{*}{+authenticate_required_to}}
helo_data = ${extract{helo}{$address_data}{$value}{MYHELO_TO_SMARTHOST}}
8 cut here 8--
The TLS_ALLOWED_OUTBOUND is something I might define on the command-line
to send mail with a queue-run to someone whose TLS is currently broken.
The hostlist authenticate_attempt_to is used for stuff not going via a
smarthost.
The hostlists tls_required_to and authenticate_required_to are fallbacks
for when the fields are not present. You can easily remove those and
just have no coerced default. Note the default HELO parameter is a
macro. No, none of the lines in the example smarthosts file set helo,
so I always use that default.
For the authenticators, I'll remove
Re: [exim] Setting up exim to relay through ISP's email server
On 2008-06-20 at 20:46 -0700, Phil Pennock wrote:
On 2008-06-20 at 00:07 -0400, Eli C wrote:
Do you have an example of this?
I have a rather complex setup for my laptop. It does this and more.
For the specific example of 'this' cited, yes, it does that and more.
It doesn't switch based on From: header though.
Switching on the From: header instead of the SMTP Envelope Sender is
slightly complicated because From: can contain multiple addresses, so
you want something like:
${sg{${addresses:$h_From:}}{:.*}{}}
to get the first one. If you're sure there will only ever be one
address in From:, then just ${address:$h_From:} will do.
Amending the example I gave to do dispatch based on sender, not
recipient, left as an exercise to the reader. Which will probably be me
soonish, since I really should be switching based on From: instead of
being lazy and just doing it based on recipient.
-Phil
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting up exim to relay through ISP's email server
On 2008-06-18 at 14:34 -0700, Vahe Oughourlian (Xpree) wrote:
Say my isp is
mail.isp.com
isp.com is a real domain. I'll go with mail.isp.tld. :)
and my username is
username
and my password is
password
I'll write these as your_username and your_password for clarity.
What would my configuration be in exim.conf, with the appropriate
configurations in routers, transports, and authenticators (I'm assuming
the configuration would require something in all three sections)?
First Router (they're an ordered list):
8 cut here 8--
begin routers
isp_smarthost:
driver = manualroute
domains = ! +local_domains
transport = smarthost_smtp
route_data = mail.isp.tld
same_domain_copy_routing
no_more
8 cut here 8--
Transports are just a collection of definitions, so order doesn't
matter; you'll need this; if the ISP supports using Submission on port
587, you can try using that (especially if it's a laptop which can roam
elsewhere). Hopefully the ISP offers TLS so you can get an encrypted
link but perhaps they don't (eg, national laws which would compel them
to have session key recording infrastructure and be able to hand over
keys on demand might lead to them just not offering TLS); if they don't,
comment out the _tls line. You might want to set the global option
tls_verify_certificates to let you verify their cert (see docs for
details).
8 cut here 8--
begin transports
smarthost_smtp:
driver = smtp
# port = 587
hosts_require_tls = mail.isp.tld
hosts_require_auth = mail.isp.tld
# you can set helo_data to something defining your account too
8 cut here 8--
By this point, you might well consider using a macro to extract the
definition of mail.isp.tld to the top of the file. :)
For the authenticators, it really depends upon which authentication
systems the ISP supports. This can vary a lot. I'll give you
simplified versions of what I have on my laptop.
I don't know which version of Exim Centos ships with; exim -bV will
report it. The use of $tls_cipher here is only valid from Exim 4.68
onwards; it will keep you from ever using cleartext authentication over
an unencrypted link. With hosts_require_tls, this becomes a
belt+braces approach to protection, with double safety-checks. For
protecting passwords, that's not a bad plan.
8 cut here 8--
begin authenticators
auth_plain:
driver = plaintext
public_name = PLAIN
client_condition = ${if def:tls_cipher}
client_send = ^your_username^your_password
auth_cram:
driver = cram_md5
public_name = CRAM-MD5
client_name = your_username
client_password = your_password
8 cut here 8--
The '^' becomes a NUL character; see RFC 4616 for details of PLAIN if
you're interested in why those are there (and RFC 2195 for details of
CRAM-MD5).
It's fairly common to extract the password to an external file and use
Exim's string replacement to let you look the details up, instead of
hardcoding the password in the Exim config file.
Regards,
-Phil
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting up exim to relay through ISP's email server
On Thu, Jun 19, 2008 at 02:22:21AM -0700, Phil Pennock wrote: It's fairly common to extract the password to an external file and use Exim's string replacement to let you look the details up, instead of hardcoding the password in the Exim config file. Do you have an example of this? I've been trying to set up multiple SMTP relaying based on a message's From: domain, but without much luck. I have a bunch of SMTP accounts, so this would be very useful in addition to the security concerns. (although I have a workable solution now since some of the servers accept any From: header as long as the client is authenticated). And thanks for the tip about checking for TLS if using auth PLAIN. Does $tls_cipher count SSL connections as well? A disturbing number of servers use PLAIN over unencrypted SMTP... -- Eli C. 2008:06:20 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
