Re: [exim] Setting up exim to relay through ISP's email server
Self-followup to correct an omission. On 2008-06-20 at 20:46 -0700, Phil Pennock wrote: begin transports smarthost_smtp: driver = smtp port = ${extract{port}{$address_data}{$value}{\ ${extract{submission}{$address_data}{587}{25}}\ }} hosts_require_tls = ${extract{tls}{$address_data}{*}{+tls_required_to}} hosts_require_auth = ${extract{user}{$address_data}{*}{+authenticate_required_to}} helo_data = ${extract{helo}{$address_data}{$value}{MYHELO_TO_SMARTHOST}} In answering a mail from M G Berberich, I realised that I wasn't setting any client-side server verification in my own laptop configuration. To do verification (ie, make the TLS worthwhile) you need a collection of the CA certificates which signed the certificates that you care about (or signed intermediate CAs, etc). For GnuTLS, these need to be all in one file, for OpenSSL they can either be in a file or in a directory (which has the hash-certificate symlinks typically generated by c_rehash). For me, using OpenSSL, this means /etc/ssl/certs/ which has the usual CAs and my own private CA. What I've chosen to do is to require verification on smarthost_smtp but not on remote_smtp. So direct-to-arbitrary hosts have no more protection than they ever had, against someone who can hijack a TCP session or fake DNS, but do have protection against passive eavesdropping. For connections to smarthosts, there is assumed to be a trust relationship present, and the list of smarthosts is small enough that I can verify that I have the certificates required. So suddenly there's more security for outbound email in the usual case. So this is added to smarthost_smtp above: # For an explicitly configured smarthost, where we've configured tls, it's # reasonable to require that we have the TLS certs for verification, too. tls_verify_certificates = ${extract{tls}{$address_data}{/etc/ssl/certs}{}} Oh, note also that the use of submission=yes and tls=yes in the smarthosts file is perhaps misleading. What matters is that 'submission' or 'tls' be present, at all. tls=no will be treated the same as tls=yes. The only way around this would be to make the expansion string much more complicated. You can replace =yes with = if that helps keep it clearer that presence is what matters, not the value. A full-fledged feature offering, rather than a private use thing, would allow tls=no to actively disable even trying TLS, since not specifying tls at all in this smarthosts config just means that TLS is not required, not that it will not be used. This is left as an exercise to the reader. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting up exim to relay through ISP's email server
On 2008-06-20 at 00:07 -0400, Eli C wrote: Do you have an example of this? I have a rather complex setup for my laptop. It does this and more. Details below. Used on MacOS. And thanks for the tip about checking for TLS if using auth PLAIN. Does $tls_cipher count SSL connections as well? A disturbing number of servers use PLAIN over unencrypted SMTP... AFAIK, $tls_cipher counts SSL connections, but I don't think Exim supports SSL-on-connect outbound. That is strictly for legacy client support, Exim supports it for inbound connections only. I think. Okay, my laptop. This does not highlight how easy Exim can be to configure for many scenarios (once you know _how_, which is always the sticking point); rather, it's a glimpse of the power you get from the rather complete string expansion language. And a glimpse of how nuts I am. There will be various macros and hostlists which you define for yourself. There are two special external files which are the heart of it. smarthosts and client-passwords. Example here uses Gmail because that's what I have configured (various disclaimers apply). Gmail's delivery folks aren't entirely enthralled with people routing mail through Gmail and sending bounces, risking mail-loops, etc, so if you mismanage this and damage your account's spam reputation score, on your head be it. smarthosts: 8 cut here 8-- gmail.com: host=smtp.gmail.comsubmission=yes tls=yes [EMAIL PROTECTED] googlemail.com: host=smtp.gmail.comsubmission=yes tls=yes [EMAIL PROTECTED] *: host=mail.example.org submission=yes tls=yes 8 cut here 8-- For the client-passwords file, I don't keep that in source-code control and I'm not on the laptop right now, so I might be making a mistake, but I believe it goes something like: 8 cut here 8-- [EMAIL PROTECTED]: password=12345678 mail.example.org: user=fred password=sekret 8 cut here 8-- Note how when a user is specified in smarthosts, the client-passwords file is keyed by that, otherwise it's keyed by the smarthost (or parent domains thereof). Routers first; the first Router lets me declare for which domains I'll send direct to MX, by creating a file named for the domain in a special directory. The second Router verifies DNS so that I don't pass invalid domains on and damage my reputation with remote systems; this does mean that I need to be online whilst submitting email to Exim though. 8 cut here 8-- begin routers direct_to_mx: driver = dnslookup domains = partial()dsearch;DIRECT_OUT_DIR transport = remote_smtp ignore_target_hosts = +special_ipv4_bad same_domain_copy_routing no_more remote_dns_verify: driver = dnslookup domains = ! +local_domains transport = remote_smtp ignore_target_hosts = +special_ipv4_bad same_domain_copy_routing verify_only no_more smarthost: driver = manualroute domains = ! +local_domains transport = smarthost_smtp ignore_target_hosts = +special_ipv4_bad route_data = ${extract{host}{${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts address_data = ${lookup{$domain}partial()lsearch*{RUNCONFDIR/smarthosts}} same_domain_copy_routing no_verify no_more 8 cut here 8-- The route_data extracts the 'host' field from the smarthosts file; address_data associates the entire line from smarthosts with the address, for later extraction. 8 cut here 8-- begin transports remote_smtp: driver = smtp .ifndef TLS_ALLOWED_OUTBOUND hosts_avoid_tls = * .endif hosts_require_tls = +tls_required_to hosts_try_auth = +authenticate_attempt_to smarthost_smtp: driver = smtp port = ${extract{port}{$address_data}{$value}{\ ${extract{submission}{$address_data}{587}{25}}\ }} hosts_require_tls = ${extract{tls}{$address_data}{*}{+tls_required_to}} hosts_require_auth = ${extract{user}{$address_data}{*}{+authenticate_required_to}} helo_data = ${extract{helo}{$address_data}{$value}{MYHELO_TO_SMARTHOST}} 8 cut here 8-- The TLS_ALLOWED_OUTBOUND is something I might define on the command-line to send mail with a queue-run to someone whose TLS is currently broken. The hostlist authenticate_attempt_to is used for stuff not going via a smarthost. The hostlists tls_required_to and authenticate_required_to are fallbacks for when the fields are not present. You can easily remove those and just have no coerced default. Note the default HELO parameter is a macro. No, none of the lines in the example smarthosts file set helo, so I always use that default. For the authenticators, I'll remove
Re: [exim] Setting up exim to relay through ISP's email server
On 2008-06-20 at 20:46 -0700, Phil Pennock wrote: On 2008-06-20 at 00:07 -0400, Eli C wrote: Do you have an example of this? I have a rather complex setup for my laptop. It does this and more. For the specific example of 'this' cited, yes, it does that and more. It doesn't switch based on From: header though. Switching on the From: header instead of the SMTP Envelope Sender is slightly complicated because From: can contain multiple addresses, so you want something like: ${sg{${addresses:$h_From:}}{:.*}{}} to get the first one. If you're sure there will only ever be one address in From:, then just ${address:$h_From:} will do. Amending the example I gave to do dispatch based on sender, not recipient, left as an exercise to the reader. Which will probably be me soonish, since I really should be switching based on From: instead of being lazy and just doing it based on recipient. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting up exim to relay through ISP's email server
On 2008-06-18 at 14:34 -0700, Vahe Oughourlian (Xpree) wrote: Say my isp is mail.isp.com isp.com is a real domain. I'll go with mail.isp.tld. :) and my username is username and my password is password I'll write these as your_username and your_password for clarity. What would my configuration be in exim.conf, with the appropriate configurations in routers, transports, and authenticators (I'm assuming the configuration would require something in all three sections)? First Router (they're an ordered list): 8 cut here 8-- begin routers isp_smarthost: driver = manualroute domains = ! +local_domains transport = smarthost_smtp route_data = mail.isp.tld same_domain_copy_routing no_more 8 cut here 8-- Transports are just a collection of definitions, so order doesn't matter; you'll need this; if the ISP supports using Submission on port 587, you can try using that (especially if it's a laptop which can roam elsewhere). Hopefully the ISP offers TLS so you can get an encrypted link but perhaps they don't (eg, national laws which would compel them to have session key recording infrastructure and be able to hand over keys on demand might lead to them just not offering TLS); if they don't, comment out the _tls line. You might want to set the global option tls_verify_certificates to let you verify their cert (see docs for details). 8 cut here 8-- begin transports smarthost_smtp: driver = smtp # port = 587 hosts_require_tls = mail.isp.tld hosts_require_auth = mail.isp.tld # you can set helo_data to something defining your account too 8 cut here 8-- By this point, you might well consider using a macro to extract the definition of mail.isp.tld to the top of the file. :) For the authenticators, it really depends upon which authentication systems the ISP supports. This can vary a lot. I'll give you simplified versions of what I have on my laptop. I don't know which version of Exim Centos ships with; exim -bV will report it. The use of $tls_cipher here is only valid from Exim 4.68 onwards; it will keep you from ever using cleartext authentication over an unencrypted link. With hosts_require_tls, this becomes a belt+braces approach to protection, with double safety-checks. For protecting passwords, that's not a bad plan. 8 cut here 8-- begin authenticators auth_plain: driver = plaintext public_name = PLAIN client_condition = ${if def:tls_cipher} client_send = ^your_username^your_password auth_cram: driver = cram_md5 public_name = CRAM-MD5 client_name = your_username client_password = your_password 8 cut here 8-- The '^' becomes a NUL character; see RFC 4616 for details of PLAIN if you're interested in why those are there (and RFC 2195 for details of CRAM-MD5). It's fairly common to extract the password to an external file and use Exim's string replacement to let you look the details up, instead of hardcoding the password in the Exim config file. Regards, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting up exim to relay through ISP's email server
On Thu, Jun 19, 2008 at 02:22:21AM -0700, Phil Pennock wrote: It's fairly common to extract the password to an external file and use Exim's string replacement to let you look the details up, instead of hardcoding the password in the Exim config file. Do you have an example of this? I've been trying to set up multiple SMTP relaying based on a message's From: domain, but without much luck. I have a bunch of SMTP accounts, so this would be very useful in addition to the security concerns. (although I have a workable solution now since some of the servers accept any From: header as long as the client is authenticated). And thanks for the tip about checking for TLS if using auth PLAIN. Does $tls_cipher count SSL connections as well? A disturbing number of servers use PLAIN over unencrypted SMTP... -- Eli C. 2008:06:20 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/