Exim SSL/TLS enable to transfer emails between any email servers

indexs

Verified User
Joined
Jun 11, 2010
Messages
77
Greetings community!

I`m in the corner with exim configuration. I not getting why exim is not using SSL/TLS connection to send email to other server e.g. gmail.com so that sent message should be sent via encrypted channel.

Followed this tutorial to use SSL for domains - https://www.directadmin.com/features.php?id=2019

I have tested ssl on the server (in terminal):

Code:
openssl s_client -connect server.domain.com:465


1. Test: Certificate is installed and verified.

Tested server via: https://www.checktls.com/TestReceiver
Results all 100%.

2. Test: To test TLS for sending emails:

Tested server via: https://www.checktls.com/TestSender
Result: Fail

Could anyone give me a hint how to correctly configure Exim to use TLS as a client? See what I mean: http://www.exim.org/exim-html-3.20/doc/html/spec_38.html#SEC774

Possible reason: ---> servers-domain.com did not encrypt this message

When i send email (for example to gmail.com) i see that:
from: Sender M. <[email protected]>
to: [email protected]
date: Jul 12, 2018, 7:48 PM
subject: test tls
mailed-by: mydomain.com
signed-by: mydomain.com
security: servers-domain.com did not encrypt this message


Both mydomain.com and servers-domain.com have valid ssl certificates.
 
Why exim dose not see CA?

In log file i see that "CV=no" CA was not found, but i have checked /var/exim.cert and there is correct CA inserted.

Code:
2018-07-12 23:11:06 1fdhvd-0004XP-SN <= [email protected] H=([10.10.20.203]) [10.10.20.204]:60811 I=[10.10.20.205]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=plain:[email protected] S=742 [email protected] T="Test TLS #18" from <[email protected]> for [email protected]

What next?... :|
 
Might have nothing to do with it, but did you also update dovecot for ssl?

Dit you enabled mail_sni=1 in directadmin.conf and restarted DA?

Code:
cd /usr/local/directadmin/custombuild/
./build update
./build dovecot_conf

I editted this message, because by accident I gave the old beta code.
 
Last edited:
Hello, Richard!

Q: update dovecot for ssl
A: Yes, I did, but correct me if i`m wrong, but dovecot is for receiving emails. Also Doveot is using the same SSL as exim:

From docevot config:
Code:
!include conf/ssl.conf

ssl.conf
Code:
ssl_cert = </etc/exim.cert
ssl_key = </etc/exim.key

ssl_min_protocol = TLSv1
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
ssl_dh=</etc/dovecot/dh.pem

The problem is somewhere in exim.

p.s. I have played with log levels on exim, but nothing changed in log file (log level changed in exim.conf and service exim restart) - nothing changed.
 
Yes, I did, but correct me if i`m wrong, but dovecot is for receiving emails.
Correct, that's why I wrote that it might have nothing to do with it.

Q:
Dit you enabled mail_sni=1 in directadmin.conf and restarted DA?
??

I've just had a look at this again:
Code:
openssl s_client -connect server.domain.com:465
If you really use that, your hostname also needs a letsencrypt certificate.

If you have mail_sni=1 then you should check it like:
Code:
openssl s_client -connect smtp.domain.com:465
or mail.domain.com or whatever you use for outgoing mail.

Which version exim.conf and exim.pl are you using?
 
Greeting Richard,

Q: Dit you enabled mail_sni=1 in directadmin.conf and restarted DA?
A: Yes, as it was in instruction: https://www.directadmin.com/features.php?id=2019

Q: If you have mail_sni=1 then you should check it...
A: Yes, I did - tested with involved domains:
Servers domain: server.domain.com
Hosted domains sub domains: mail.mydomain.com, smtp.mydomain.com

All returned valid SSL`s

Q: Which version exim.conf and exim.pl are you using?
A: here you go:
Code:
[root@server ~]# grep '#VERSION=' /etc/exim.pl
#VERSION=24

Code:
# SpamBlockerTechnology* powered exim.conf, Version 4.5.9
# April 13, 2018
# Exim configuration file for DirectAdmin
 
That's odd.

If you have this in exim.variables.conf too:
Code:
tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exim.key}}}{/etc/exim.key}}
openssl_options=+no_sslv2 +no_sslv3
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

then I'm out of idea's and hope SMTalk or zEitEr will have a look, or send in a ticket for it.

As you I'm very curious now what's causing this because it all looks oke.
 
Richard,

Q: check config: exim.variables.conf
A: Also did before starting this thread. This is why I have started this thread

I have started a support ticket.
Let`s see if something comes up. I will update this thread.
 
Last edited:
Back
Top